Am Donnerstag 10 März 2011 14:34:13 schrieb Robert J. Hansen: > On 3/10/2011 5:23 AM, Hauke Laging wrote: > > ]Those people who just want to protect their > > social connections by signing other keys without revealing their identity > > to those who don't know it already have no need to cover their target > > addresses because the marketing people and "just curious" normal ones are > > not capable of reading their email traffic. So there already is a use > > case.
> Certifications come in two basic varieties: public and private. A > public certification is intended as an announcement to the world: "Hey, > world! I am [name] and I vouch for this certificate!" That's the technical situation today. But it is no use to announce that to the whole world. It is required only for those people who use your signature in a validation chain. Everyone else does not need (and probably not use) the signature so there is no benefit for exposing the connection (though unclear) between the key owner and the certifier. > If people want to make public pronouncements of social relationship, why > in the world would you want to deploy a technology that makes it > difficult to discover this social relationship? I want to deploy this technology because a) this is in my strong opinion not what people WANT (it's just what they DO because there is neither much awareness for the problem nor a usable alternative) b) nobody who really wants to inform the whole world is in any way affected in doing that. > This doesn't make any sense to me. Quite possibly I have completely > misunderstood what you're arguing. May be a language problem, sorry. I'll try with an example: You have validated my key (among others) and I (among others) have validated Ben's. Now you want to validate Ben's key indirectly. Ben's key has ten signatures, the one by my key is the only one usable for you. The next person who tries to validate find another signature useful. It's perfectly OK for me that you can see that I have signed Ben's key but why should others know that? Why should you be able to find out who are the other ones who have made signatures for Ben's key? I would make a local signature if I would not want to let anyone know that I have verified the key. But in that case you could not verify Ben's key what I am willing to enable. The motto is: Don't reveal more than necessary. You have to reveal something in order to make the whole thing work but you don't have to reveal all. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users