ping - Governikus
andrewg at andrewg.com
Wed Nov 4 12:38:46 CET 2020
On 03/11/2020 16:44, Stefan Claas wrote:
> My goal is to have a CA
> certified pubkey with
> only one UID and without an email address, so that the key pair can be
> universally been
> used, besides classic email, ie. Fax, Telephone, Radio, Blog post
> discussions, Bitmessage, File Transfer, Postcards, Letters, Social
> Media chats, Messengers and what not which all do not require an email
> address. In case of email it should be possible to use it for multiple
> email accounts or if email accounts change, to not edit the key or
> create a new key.
OK, but what is the meaning of a certification in this context? Taking
just the email section of the above, if I want to send you an email, I
can either get the key from you by some private means, or I can look up
your key on e.g. a keyserver and check whether somebody I trust (e.g.
Governikus) has certified that your key is valid for your email address.
AIUI, you propose that Governikus certify that your key is valid for
someone called "Stefan Claas", that they know which one, but they won't
disclose that identity to me. How does that help me decide whether your
key is valid? If I have to perform a second (manual?) verification step
no matter what Governikus says, then it's a better use of my time to try
that method first, and Governikus's sig has added nothing of value.
The same argument can be repeated for the other communications methods
above. If third-party certifications are not sufficient in your security
model, then what's the point of them at all? Considering that the only
reason we use third-party sigs is to cover the cases where other,
stronger, verification schemes (physical meeting, phone calls etc.) are
inappropriate or inconvenient.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users