ping - Governikus

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Nov 4 16:33:28 CET 2020


On Wed, Nov 4, 2020 at 11:42 AM Andrew Gallagher <andrewg at andrewg.com> wrote:
>
> On 03/11/2020 16:44, Stefan Claas wrote:
> > My goal is to have a CA
> > certified pubkey with
> > only one UID and without an email address, so that the key pair can be
> > universally been
> > used, besides classic email, ie. Fax, Telephone, Radio, Blog post
> > discussions, Bitmessage, File Transfer, Postcards, Letters, Social
> > Media chats, Messengers and what not which all do not require an email
> > address. In case of email it should be possible to use it for multiple
> > email accounts or if email accounts change, to not edit the key or
> > create a new key.
>
> OK, but what is the meaning of a certification in this context? Taking
> just the email section of the above, if I want to send you an email, I
> can either get the key from you by some private means, or I can look up
> your key on e.g. a keyserver and check whether somebody I trust (e.g.
> Governikus) has certified that your key is valid for your email address.
>
> AIUI, you propose that Governikus certify that your key is valid for
> someone called "Stefan Claas", that they know which one, but they won't
> disclose that identity to me. How does that help me decide whether your
> key is valid? If I have to perform a second (manual?) verification step
> no matter what Governikus says, then it's a better use of my time to try
> that method first, and Governikus's sig has added nothing of value.
>
> The same argument can be repeated for the other communications methods
> above. If third-party certifications are not sufficient in your security
> model, then what's the point of them at all? Considering that the only
> reason we use third-party sigs is to cover the cases where other,
> stronger, verification schemes (physical meeting, phone calls etc.) are
> inappropriate or inconvenient.

If people meet at a key signing party, or we both would meet in person, they/we
usually check the name of the key holder and compare it with ID-cards
and fingerprints
of the keys. The email address has no certification value, because in
case of a freeform
UID they/we would not refuse to sign a key, I strongly assume.

Regards
Stefan



More information about the Gnupg-users mailing list