Call me crazy, but ...

Стефан Васильев stefan.vasilev at posteo.ru
Wed Jul 14 19:32:58 CEST 2021


Viktor wrote:

> It's the same as putting any other public information in public key
> certificate. You can put first and last name, email address and even
> photo of another person.

But this information can be digitally verified and is issued EU wide by
Governemnt trusted sources in this field.

> In general: unless we have other trusted person to verify that public
> key belongs to certain person, we can not ensure key owner identity
> before we have some transactions signed with this key.

I think nowadays in digital age the time of single individuals who need
to be trusted for digital verification purposes is long over, or how 
would
you manage this if you, for example, are a trusted person with no
sigs from others and people in other countries should trust you and
your verification skills (and honesty)?

> And we should not only trust person that has verified public key
> certificate, we should also know and trust the procedure this person
> used to verify public key certificate. And this is very important if
> there is a dispute, say about a signed contract.

In EU with eID and eIDAS it is all outlined and nobody has again to
trust a single individual or his skill set the person used to verify
a valid certificate.

The reason why I opened this thread was to show users the cheapest[1]
way to put digitally certified data, from trusted EU sources, which can
be digitally verified, into a photo-ID, to bind the included full name 
to
the same full name as the pub keys UID.

However, just used as duplicate for comaprison and not to be uploaded
to keyservers like I said in another reply.

[1] In Germany exists Governikus, which acts on behalf of the BSI as
CA for OpenPGP users for free, but it never took off under German
GnuPG users, because it requires the purchase of an BSI certified
card Reader and that the person has already a new ID-card, which
this functionallity is activated in the ID-card chip.

> This was the flaw in pgp's web of trust: verification procedures were 
> not known.

I would say they were known, but you could not rely on them.

Regards
Stefan




More information about the Gnupg-users mailing list