Call me crazy, but ...

Стефан Васильев stefan.vasilev at
Thu Jul 15 00:51:04 CEST 2021

Brandon Anderson wrote:
>> Andrew Gallagher wrote:
>>>> On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users 
>>>> <gnupg-users at> wrote:
>>>> Viktor wrote:
>>>>> It's the same as putting any other public information in public key
>>>>> certificate. You can put first and last name, email address and 
>>>>> even
>>>>> photo of another person.
>>>> But this information can be digitally verified and is issued EU wide 
>>>> by
>>>> Governemnt trusted sources in this field.
>>> But this puts logical causality the wrong way around. Just because 
>>> the
>>> thing *being signed* is genuine, does not prove that the thing *doing
>>> the signing* is genuine.
>>> IMO this proposal is abuse of the public key infrastructure. If you
>>> want to sign an ID document, just sign an ID document and distribute
>>> it through other channels. Attaching it as a signed packet to a key
>>> adds zero value, at nonzero cost.
>> What abuse do you see here, if I may ask? I see it as an non-public 
>> option
>> among virtual GnuPG friends to include in a duplicate certified data, 
>> which
>> is not meant to been distributed on keyservers etc. or made public to
>> the world and acts for two pub keys comparison.
> Again, this does not sound very secure or make much sense to me. It
> also seems to make several assumptions that I do not think are proper
> in any security situation that would call for GPG to begin with. You
> want to share a secret credential that you have with someone not in
> person to prove identity, something which can be copied and shared
> with others no differently than when you shared it with them. It is
> like using a government-backed CA but worse because you give everyone
> you communicate with access to the secret. You are assuming the person
> you are sharing this picture with won't use it themselves to
> impersonate you. You are assuming the communication channel you are
> using to share this picture with is secure and not being intercepted
> or spied upon, which could result in someone stealing and using this
> credential themselves. This then begs the question, if you have a
> channel that securely communicates between the two parties (the other
> party you trust enough to share this secret credential with) anyways,
> what the need for the QR code to begin with is? Just share your public
> key and be done with it.

It would tell me as 3rd party that for WoT puposes, if this is still 
Alice and her good friend Bob were able to sign their pub keys remotely,
based on a free of charge verification method.


More information about the Gnupg-users mailing list