Brandon Anderson wrote:
Andrew Gallagher wrote:
On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users
<gnupg-users@gnupg.org> wrote:
Viktor wrote:
It's the same as putting any other public information in public key
certificate. You can put first and last name, email address and
even
photo of another person.
But this information can be digitally verified and is issued EU wide
by
Governemnt trusted sources in this field.
But this puts logical causality the wrong way around. Just because
the
thing *being signed* is genuine, does not prove that the thing *doing
the signing* is genuine.
IMO this proposal is abuse of the public key infrastructure. If you
want to sign an ID document, just sign an ID document and distribute
it through other channels. Attaching it as a signed packet to a key
adds zero value, at nonzero cost.
What abuse do you see here, if I may ask? I see it as an non-public
option
among virtual GnuPG friends to include in a duplicate certified data,
which
is not meant to been distributed on keyservers etc. or made public to
the world and acts for two pub keys comparison.
Again, this does not sound very secure or make much sense to me. It
also seems to make several assumptions that I do not think are proper
in any security situation that would call for GPG to begin with. You
want to share a secret credential that you have with someone not in
person to prove identity, something which can be copied and shared
with others no differently than when you shared it with them. It is
like using a government-backed CA but worse because you give everyone
you communicate with access to the secret. You are assuming the person
you are sharing this picture with won't use it themselves to
impersonate you. You are assuming the communication channel you are
using to share this picture with is secure and not being intercepted
or spied upon, which could result in someone stealing and using this
credential themselves. This then begs the question, if you have a
channel that securely communicates between the two parties (the other
party you trust enough to share this secret credential with) anyways,
what the need for the QR code to begin with is? Just share your public
key and be done with it.
It would tell me as 3rd party that for WoT puposes, if this is still
used,
Alice and her good friend Bob were able to sign their pub keys remotely,
based on a free of charge verification method.
Regards
Stefan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
