On Wed, Nov 4, 2020 at 11:42 AM Andrew Gallagher <andr...@andrewg.com> wrote: > > On 03/11/2020 16:44, Stefan Claas wrote: > > My goal is to have a CA > > certified pubkey with > > only one UID and without an email address, so that the key pair can be > > universally been > > used, besides classic email, ie. Fax, Telephone, Radio, Blog post > > discussions, Bitmessage, File Transfer, Postcards, Letters, Social > > Media chats, Messengers and what not which all do not require an email > > address. In case of email it should be possible to use it for multiple > > email accounts or if email accounts change, to not edit the key or > > create a new key. > > OK, but what is the meaning of a certification in this context? Taking > just the email section of the above, if I want to send you an email, I > can either get the key from you by some private means, or I can look up > your key on e.g. a keyserver and check whether somebody I trust (e.g. > Governikus) has certified that your key is valid for your email address. > > AIUI, you propose that Governikus certify that your key is valid for > someone called "Stefan Claas", that they know which one, but they won't > disclose that identity to me. How does that help me decide whether your > key is valid? If I have to perform a second (manual?) verification step > no matter what Governikus says, then it's a better use of my time to try > that method first, and Governikus's sig has added nothing of value. > > The same argument can be repeated for the other communications methods > above. If third-party certifications are not sufficient in your security > model, then what's the point of them at all? Considering that the only > reason we use third-party sigs is to cover the cases where other, > stronger, verification schemes (physical meeting, phone calls etc.) are > inappropriate or inconvenient.
If people meet at a key signing party, or we both would meet in person, they/we usually check the name of the key holder and compare it with ID-cards and fingerprints of the keys. The email address has no certification value, because in case of a freeform UID they/we would not refuse to sign a key, I strongly assume. Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users