Andrew Gallagher wrote:
On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users
<gnupg-users@gnupg.org> wrote:
Viktor wrote:
It's the same as putting any other public information in public key
certificate. You can put first and last name, email address and even
photo of another person.
But this information can be digitally verified and is issued EU wide by
Governemnt trusted sources in this field.
But this puts logical causality the wrong way around. Just because the
thing *being signed* is genuine, does not prove that the thing *doing
the signing* is genuine.
IMO this proposal is abuse of the public key infrastructure. If you
want to sign an ID document, just sign an ID document and distribute
it through other channels. Attaching it as a signed packet to a key
adds zero value, at nonzero cost.
What abuse do you see here, if I may ask? I see it as an non-public
option
among virtual GnuPG friends to include in a duplicate certified data,
which
is not meant to been distributed on keyservers etc. or made public to
the world and acts for two pub keys comparison.
Again, this does not sound very secure or make much sense to me. It also
seems to make several assumptions that I do not think are proper in any
security situation that would call for GPG to begin with. You want to
share a secret credential that you have with someone not in person to
prove identity, something which can be copied and shared with others no
differently than when you shared it with them. It is like using a
government-backed CA but worse because you give everyone you communicate
with access to the secret. You are assuming the person you are sharing
this picture with won't use it themselves to impersonate you. You are
assuming the communication channel you are using to share this picture
with is secure and not being intercepted or spied upon, which could
result in someone stealing and using this credential themselves. This
then begs the question, if you have a channel that securely communicates
between the two parties (the other party you trust enough to share this
secret credential with) anyways, what the need for the QR code to begin
with is? Just share your public key and be done with it.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
