ping - Governikus

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Nov 4 17:54:18 CET 2020 

On Wed, Nov 4, 2020 at 4:32 PM Andrew Gallagher <andrewg at andrewg.com> wrote:
>
> On 04/11/2020 15:33, Stefan Claas wrote:
> > The email address has no certification value, because in
> > case of a freeform
> > UID they/we would not refuse to sign a key, I strongly assume.
>
> You could sign it if you want, that's not the issue. The issue is what
> value a third party would place on such a signature.

Well, If someone I know, or a CA, would sign such a key from you
I would know that the key belongs to you, regardless for what the
key is used for, i.e. in case you would sign here on the ML and with
the option that your email account changes in the future.

> > If people use primarily 'social' media for their communications, like
> > facebook which has a profile option for a GnuPG pub key, why should
> > that pub key bear an email address, once certified?
>
> It does not need to bear an email address, no. But it should bear a
> unique identifier of some kind. That could be a URL, or a Twitter
> handle, or anything sufficiently distinctive for the purposes for which
> a third party would expect to use the key.

For me a unique identifier would be the included hash, which I can't
reverse, but which was signed along my name from the CA.

[...]

> The key phrase I keep repeating in all these arguments is "third party".
> For secure communication between two individuals who already have an
> established relationship, there is no need for third-party
> certification. I still don't see an actual use case for this.

Not sure why you don't see this, but let's say you or I would run a popular
crypto etc. blog on a web page and people would be allowed to reply
encrypted and you only provide a postal address (P.O.box address) instead
of a spamable email address, I and probably the majority of readers would
not need an email address in your UID and they would most likely trust
your certified pub key more, like I would, compared to a pub key which
bears no CA signature. There are more examples, but I think my point
should be clear why people should have the option to get a CA certified
public key without an email address, so that they can use the pub key
as a multipurpose key, not bound to an email address, which can always
change.

Regards
Stefan

More information about the Gnupg-users mailing list