ping - Governikus
spam.trap.mailing.lists at gmail.com
Mon Nov 2 20:12:21 CET 2020
On Mon, Nov 2, 2020 at 12:10 PM Andrew Gallagher <andrewg at andrewg.com> wrote:
> On 31/10/2020 23:45, Stefan Claas wrote:
> > I am aware that there is a second 'Stefan Claas' living in Germany
> > but he would not have the same fingerprint as I would have. In case
> > of doubt people could always prove to third parties, if requested,
> > that one is the actual key holder, with a simple challenge/response.
> This may be an acceptable edge case for one Stefan Claas, but maybe not
> for Stefan Müller or Stefan Schmidt. Or even the other Stefan Claas, who
> may not appreciate you being able to more easily impersonate him. :-)
> If Governikus (or anyone else for that matter) were to start certifying
> ambiguous identities, it would devalue their name across the board. Why
> would they do that?
You are correct, they would not do that. While I thought also about
the possibility that here in Germany are for example thousands of
Müller or Meier etc. I could imagine that not only two of them bear
the same first name. It would be interesting to get hold of them and
then convince them to use a shared email account, while everybody
of them would then have to generate their own key pair and then
let it sign by Governikus.
I think a solution to this problem could be PBKDF2 hashed data
in the UID, but developing an OpenPGP certifying workflow could
be a bit tricky.
More information about the Gnupg-users