Am 22.09.2017 um 02:37 schrieb Ángel:
On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
Long ago when we had a discussion here on the Mailing List on
how to prevent unwanted signatures i made a proposal that
signing someone's public key should work similar to revocation
certificates. If you would like to sign my pub key you had to
send me a, let's call it, Signature Request Certificate, if i accept
it i enter my passphrase and then the Software would extract
the needed signature bits from the request cert and add those
bits to my pub key. Like i said i'm no programmer and can't
therefore test if such a feature proposal would work.
Regards
Stefan
Nope. This would solve the case of «Key of legitimate user signed by
fake user»¹ but not «Fake user signed by another fake user», which is
the problem.
¹ Assuming the legitimate one would notice and not allow his key to be
signed by the evil one, which is no problem, actually.
The proposal would be technically feasible (invalidating all existing
signatures, and probably conflicting with local sigs, but feasible).
However, it wouldn't solve the underlying problem.
Thanks for your insights, much appreciated!
Regards
Stefan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
