Werner Koch wk at
Wed Jan 27 14:16:37 CET 1999

Thomas Roessler <roessler at> writes:

> No.  My problem lies in the fact that gpg assigns trust ("validity")
> values to public keys, not to the association between a key and a
> specific user ID, as far as I can tell.  (At least I don't see any

Right. We had a discussion about this a long time ago and this is
definetly the right way to do it.  I assume that a signator always
takes the same precautions when signing a user id regardless of the
form of user id.  If you think he does not - don't trust the signator.

> > $ gpg --list-keys --with-colons
> > pub:q:2048:1:D2262944CE6AC6C1:1997-12-23::216:f:Thomas Roessler 
> This is only information about the key and, maybe, about one user ID
> of that key.

You get all the user ids

$ gpg --list-keys --with-colons 0C9857A5
pub:u:768:1:1D19F4C10C9857A5:1995-09-30::83:-:Werner Koch <werner.koch at>:
uid:::::::::Werner Koch (mein alter key) <wk at>:

> Type Bits/KeyID    Date       User ID
> pub  2048/93478F6B 1997/06/17 Fake alert. Don't use this key. % f-1
> sig!      DD08DD6D 1997/06/19  Roland Rosenfeld <roland at>
> sig!*     593238E1 1997/06/19  Thomas Roessler <roessler at>
>                               in-ca at SIGN EXPIRE:1998-12-31 Root CA des Individual Network e.V. <in-ca at>

A revocation certificate is the way to do this and not assigning
another user id.

> Or think about a key which has a certified user ID and self-signs
> another, bogus ID.  The user must be able to tell the trusted ID

A self-signed but bogus user id ??

I know that we should have user id and certification revocations.


More information about the Gnupg-devel mailing list