keysigning ?= UIDsigning

L. Sassaman rabbi at
Thu Jun 29 16:21:44 CEST 2000

Hash: SHA1

On Wed, 28 Jun 2000, Chad Miller wrote:

> On Wed, Jun 28, 2000 at 07:34:24PM -0400, Billy Donahue wrote:
> > You accumulate signatures on your UID+key, not the key itself.
> > A signature asserts a relation of a UID to the key.
> ...but a fingerprint or keyid doesn't assert UID at all.  So, when you're 
> at a keysigning party, you should demand the UID as well?

Yes. And then you send a "teset message" to that UID to confirm that it is
owned by the proper person.
> Hmmm.  I think I agree with this, but I suggest a change to the docs to 
> add as the primary UID only information that should never change, and add
> UIDs later to contain email addresses and other ephemeral info after it.

Huh? The primary user ID can be arbitrarily changed. That is how it is
intended to work.
> It'd be a shame to get plenty of signatures on a single-UID key and have
> your ISP go tits-up.  

Yes, it would be. But those signatures certainly are not valid if the
email address is not valid, because they are asserting that the email
address and name (together: UID) belongs to the owner of said key.


L. Sassaman

System Administrator                |  
Technology Consultant               |  "Common sense is wrong." 
icq.. 10735603                      |  
pgp.. finger:// |    --Practical C Programming

Comment: OpenPGP Encrypted Email Preferred.


More information about the Gnupg-devel mailing list