On 8/22/2010 10:54 AM, C.J. Adams-Collier KF7BMP wrote: > Because none of the information provided indicates in any way that the > private key corresponding with the public key provided is under Chris' > control.
If Christoph were himself making assurances about certificates, this would be relevant. As he is not, I don't see how it is. The assurances are made by the individual signers on the certificates he distributes. I don't imagine you're going to demand each and every certificate holder contact you to verify their private keys -- so why do you expect Christoph to do so? Perhaps there's a good reason for it, but so far I'm not seeing it. > (1) The secretary must recognize one or more repositories, after finding > that a repository to be recognized: > ... (d) Contains no significant amount of information that is known or > likely to be untrue, inaccurate, or not reasonably reliable; I am not a lawyer, obviously. However, it seems to me that if you consider Christoph's private certificate to be a significant amount of information, even though it has absolutely no influence on the public certificates he distributes, you must also consider the individual signatures on those certificates to be significant amounts of information, since those do influence the public certificates. (This doesn't even get into the 45 keys on the keyservers marked as "whitehouse.gov", or the ones in the names of various celebrities, and so forth. There is a significant amount of information in the certificate pool which is likely to be untrue, inaccurate, or not reasonably reliable.) > All of this is correct. However, the advice is generally applicable to > signing- and trust-related activities. It is generally applicable within your security model. I am skeptical that your advice is applicable within mine. _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel