On Mon, Nov 2, 2020 at 12:10 PM Andrew Gallagher <andr...@andrewg.com> wrote: > > On 31/10/2020 23:45, Stefan Claas wrote: > > I am aware that there is a second 'Stefan Claas' living in Germany > > but he would not have the same fingerprint as I would have. In case > > of doubt people could always prove to third parties, if requested, > > that one is the actual key holder, with a simple challenge/response. > > This may be an acceptable edge case for one Stefan Claas, but maybe not > for Stefan Müller or Stefan Schmidt. Or even the other Stefan Claas, who > may not appreciate you being able to more easily impersonate him. :-) > > If Governikus (or anyone else for that matter) were to start certifying > ambiguous identities, it would devalue their name across the board. Why > would they do that?
You are correct, they would not do that. While I thought also about the possibility that here in Germany are for example thousands of Müller or Meier etc. I could imagine that not only two of them bear the same first name. It would be interesting to get hold of them and then convince them to use a shared email account, while everybody of them would then have to generate their own key pair and then let it sign by Governikus. I think a solution to this problem could be PBKDF2 hashed data in the UID, but developing an OpenPGP certifying workflow could be a bit tricky. https://www.freecodeformat.com/pbkdf2.php Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users