can`t verify signature
Ben Finney
ben@benfinney.id.au
Sat Jul 26 11:30:02 2003
--AbQceqfdZEv+FvjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 26-Jul-2003, Gustavo Vasconcelos wrote:
> So, if a company decides to act as a CA for their emplyes, what's
> wrong with that?
Nothing (if you accept the doctrine of CAs, which is a whole other
discussion).
The discussion of this particular key arose because the key has
*different people* listed as UIDs on the key. A key should be bound to
an individual, not multiple persons.
> I could even sign the corporate key, if I could check the
> documentation of the company, and the identifications of its CEO's.
That wouldn't be too useful; by definition, a CA is ultimately trusted
by those who (must) use it. Signing its key adds nothing to the trust
model.
> I have pubkeys with pseudonyms. Is that wrong?
No, so long as each one is bound only to you, and can't be used by
multiple people.
Also, if no-one can connect the key to you, it will (hopefully) never be
signed, so it is outside the web of trust. This doesn't render it
useless, though.
--=20
\ "I put instant coffee in a microwave oven and almost went back |
`\ in time." -- Steven Wright |
_o__) |
ben@benfinney.id.au F'print 9CFE12B0 791A4267 887F520C B7AC2E51 BD41714B
--AbQceqfdZEv+FvjW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iEYEARECAAYFAj8iSokACgkQt6wuUb1BcUskwQCfWmI2BSGuRcObJpCwWBAVcrpx
QOMAnAr+ET1K00UmosA2iQ9/3EM4wvIS
=5T2v
-----END PGP SIGNATURE-----
--AbQceqfdZEv+FvjW--