get OpenPGP pubkeys authenticated using German personal ID

Andrew Gallagher andrewg at
Thu Jun 1 15:19:29 CEST 2023

On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users <gnupg-users at> wrote:
> Quoting Bernhard Reiter <bernhard at <mailto:bernhard at>> (from Wed, 31 May 2023 16:55:05 +0200):
>> Obviously they cannot authenticate the email address
>> so once I have a common name, we get collisions?
> The signature is send to the email listed in the key. In case you share a name with someone which has a PGP key and you sign this key, the person(s) with access to that email account will get the signature.

This is not best practice. Normally when email verification is being performed, the gated action (such as certification, account creation etc.) is not done until after a (time-bound!) challenge/response succeeds. This places too much emphasis on verification of the (non-unique) “real name” component of the UserID, and not enough on the machine-readable email address.

This opens up more fundamental questions about the meaning of signatures over RFC822 UserIDs - do they validate the “real name”, the email address, or some combination of the two? For example, an email-validating CA may only check the email address part, treating the “real name” as little more than a comment; while Governikus appear to be doing it the other way around. It is of course up to the receiver to decide how to interpret signatures, but it only compounds the problem when not only is the signer’s trustworthiness in question, but also their intent. How do you interpret the validity of a claim when it’s not even clear what the claim is?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Gnupg-users mailing list