On 03/11/2020 16:44, Stefan Claas wrote: > My goal is to have a CA > certified pubkey with > only one UID and without an email address, so that the key pair can be > universally been > used, besides classic email, ie. Fax, Telephone, Radio, Blog post > discussions, Bitmessage, File Transfer, Postcards, Letters, Social > Media chats, Messengers and what not which all do not require an email > address. In case of email it should be possible to use it for multiple > email accounts or if email accounts change, to not edit the key or > create a new key.
OK, but what is the meaning of a certification in this context? Taking just the email section of the above, if I want to send you an email, I can either get the key from you by some private means, or I can look up your key on e.g. a keyserver and check whether somebody I trust (e.g. Governikus) has certified that your key is valid for your email address. AIUI, you propose that Governikus certify that your key is valid for someone called "Stefan Claas", that they know which one, but they won't disclose that identity to me. How does that help me decide whether your key is valid? If I have to perform a second (manual?) verification step no matter what Governikus says, then it's a better use of my time to try that method first, and Governikus's sig has added nothing of value. The same argument can be repeated for the other communications methods above. If third-party certifications are not sufficient in your security model, then what's the point of them at all? Considering that the only reason we use third-party sigs is to cover the cases where other, stronger, verification schemes (physical meeting, phone calls etc.) are inappropriate or inconvenient. -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
