ping - Governikus

Andrew Gallagher andrewg at andrewg.com
Wed Nov 4 17:29:33 CET 2020


On 04/11/2020 15:33, Stefan Claas wrote:
> The email address has no certification value, because in
> case of a freeform
> UID they/we would not refuse to sign a key, I strongly assume.

You could sign it if you want, that's not the issue. The issue is what
value a third party would place on such a signature.

> If people use primarily 'social' media for their communications, like
> facebook which has a profile option for a GnuPG pub key, why should
> that pub key bear an email address, once certified?

It does not need to bear an email address, no. But it should bear a
unique identifier of some kind. That could be a URL, or a Twitter
handle, or anything sufficiently distinctive for the purposes for which
a third party would expect to use the key.

> Or take as another security example a YubiKey for 2FA. The key does
> not need an email address, if I log-in to facebook, Twitter, Google etc.
> with the same key(s).

But Facebook, Twitter etc. verify your yubikey themselves. They are not
relying upon a strange yubikey with a certification from a third party
saying "this yubikey belongs to one Stefan Claas".

> Or as an extreme example, my credit card, bank card, ID-card etc.
> have no email address either, when I authenticate with them globally.

Again, your credit card is certified by your bank because your bank owns
your physical credit card. They *made* your credit card. When you use
chip and pin in some shop, the card machine in the shop talks
(indirectly) to your bank, which certifies its own property. This is not
comparable to a third-party signature.

The key phrase I keep repeating in all these arguments is "third party".
For secure communication between two individuals who already have an
established relationship, there is no need for third-party
certification. I still don't see an actual use case for this.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201104/e006f655/attachment.sig>


More information about the Gnupg-users mailing list