"just invent something..."

[Robert J. Hansen]

> I see a big hole in the validation part. The steps providex are
> validating the offline identity but not matching it to the certificate
> uid.

Correct, and that's by design.

There is no -- *NO* -- generally understood meaning for user IDs beyond
"the name here is a meaningful term of address for an individual or
individuals who control this email address".

Many years ago I was in Germany and tried to persuade a friend of mine
to do the hard right thing as opposed to the easy wrong thing.  She
rolled her eyes at me and declared "du bist Rob, der Ritter".  ("You're
Rob, the knight.")  She was attempting to be sarcastic.  Bystanders
misheard her as "du bist ein Raubritter" and a new nickname for me was
born.[1]

So let's say I give you my ID and you're one of these people who knows
me as Raubritter.  Would you sign raubritter at sixdemonbag.org?  Probably.
 Should you?  Sure, why not?  You know there's a specific person, me,
who answers that email address and you know exactly who I am in the eyes
of the law, thanks to seeing my ID.

So why shouldn't you sign a pseudonym, if you know the pseudonym maps to
an individual person?  And if you're going to sign a pseudonym, why not
sign donald_trump at sixdemonbag.org if you happen to know there's a person
or persons at that domain which answer to that name?



[1] This was thirty years ago.  Words tend to change their cultural and
slang meanings over the years.  I don't know what the current
implications of "Raubritter" are, and for that reason I don't use it or
advertise it to others... but yeah, there are people who have known me
for thirty years who still call me that.