Call me crazy, but ...

Andrew Gallagher andrewg at
Thu Jul 15 02:05:28 CEST 2021

> On 14 Jul 2021, at 19:49, Стефан Васильев <stefan.vasilev at> wrote:
> Andrew Gallagher wrote:
>>>> On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users <gnupg-users at> wrote:
>>> Viktor wrote:
>>>> It's the same as putting any other public information in public key
>>>> certificate. You can put first and last name, email address and even
>>>> photo of another person.
>>> But this information can be digitally verified and is issued EU wide by
>>> Governemnt trusted sources in this field.
>> But this puts logical causality the wrong way around. Just because the
>> thing *being signed* is genuine, does not prove that the thing *doing
>> the signing* is genuine.
>> IMO this proposal is abuse of the public key infrastructure. If you
>> want to sign an ID document, just sign an ID document and distribute
>> it through other channels. Attaching it as a signed packet to a key
>> adds zero value, at nonzero cost.
> What abuse do you see here, if I may ask? I see it as an non-public option
> among virtual GnuPG friends to include in a duplicate certified data, which
> is not meant to been distributed on keyservers etc. or made public to
> the world and acts for two pub keys comparison.

As currently configured, there is nothing to stop this sort of information being uploaded to a keyserver. So while keyserver operators cannot yet forbid it, we should certainly not encourage it. And in any case, we should always ask what value is being added by a particular proposal, weighed against what (potential) costs are being incurred. Remembering that costs are not always borne by those enjoying the benefits. 


More information about the Gnupg-users mailing list