Houston, we have a problem
Stefan Claas
stefan.claas at posteo.de
Thu Sep 21 22:11:26 CEST 2017
On Thu, 21 Sep 2017 21:59:26 +0200, Ralph Seichter wrote:
> On 21.09.17 21:38, Stefan Claas wrote:
>
> > The thing is someone could issue a fake sig3 from Heise's CA key to
> > someone else's pub key, without that that customers would detect it,
> > nor Heise would know it, until of course they would see the keys in
> > question.
>
> I'm not certain what problem you see that has not been around for as
> long as PGP/GPG exists? You can only ever be certain of a signature if
> you have personally verified the signing key and the signer's
> identity. That's why the default owner trust level is "unknown" (not
> trusted).
Well, call me a stupid Mac dummie, but how in the world could GnuPG
users , living in different areas verify that? As one more example i
give name here Governikus CA.
If someone would issue a fake sig3 from Governikus to someone
else how could you, for example, verify that the sig3 is from
Governikus?
https://pgp.governikus-eid.de/pgp/
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
More information about the Gnupg-users
mailing list