"just invent something..."

Stefan Claas sac at 300baud.de
Sat May 23 21:03:34 CEST 2020


Robert J. Hansen wrote:
 
> > - The trust in the correspondent's public key is established only
> > by comparing the key fingerprint derived programmatically from the
> > locally stored key-file and a copy independently obtained from
> > the owner. The only identification of a public key is its
> > fingerprint. Since the public key is either known to an adversary,
> > or it is very hard to guard against such eventuality, the public
> > key itself should not provide the adversary with any useful
> > information.
> 
> Okay, but this seems largely redundant with section 8.12 of the FAQ,
> which, uh ... does exactly this.  What exactly are you objecting to?

[...]

I think that many people have multiple email accounts and would like
to see a way to have a procedure in place with GnuPG that would allow
them to use such a public key, with only one UID (or none), covered in
the FAQ.

The problem is that we IMHO still stick to procedures Mr Zimmermann,
while not being a cryptographer back then, has invented in the early
90s, which may no longer fit in 2020.

It should be also pointed out, to the interested reader, that 99% of
public key crypto software, I am aware of, does not require an email
address, a UID, to manage public keys (in a key ring).

Regards
Stefan

-- 
https://keybase.io/stefan_claas
           



More information about the Gnupg-users mailing list