On 2/28/11 9:09 AM, David Shaw wrote: > You can do quite a lot with stuff like this. Who signed who can > tell you who this person has met, and often where.
It should be emphasized that *can* is not the same thing as *does*; and it doesn't necessarily allow you to do it with a high degree of confidence. Not that I'm disagreeing with David here: I just want to make sure people don't misinterpret. > Robert and I did an experiment a few months ago where starting only > from his public key, I was easily able to find out real-world > addresses, parents names, siblings, etc. This was, IMO, ultimately an ambiguous result. There is nothing that he was able to derive from my certificate that he couldn't have figured out from visiting my webpage, reading the GnuPG archives, and so forth. The usefulness of the certificate as a source of data was not well-established, IMO: the usefulness of OSINT was quite well-established. Rather than rehash the old debate, read the original discussion: http://www.mail-archive.com/gnupg-users@gnupg.org/msg13052.html _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
