keysigning ?= UIDsigning

L. Sassaman rabbi at quickie.net
Thu Jun 29 16:21:44 CEST 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 28 Jun 2000, Chad Miller wrote:

> On Wed, Jun 28, 2000 at 07:34:24PM -0400, Billy Donahue wrote:
> > You accumulate signatures on your UID+key, not the key itself.
> > A signature asserts a relation of a UID to the key.
> 
> 
> ...but a fingerprint or keyid doesn't assert UID at all.  So, when you're 
> at a keysigning party, you should demand the UID as well?

Yes. And then you send a "teset message" to that UID to confirm that it is
owned by the proper person.
 
> Hmmm.  I think I agree with this, but I suggest a change to the docs to 
> add as the primary UID only information that should never change, and add
> UIDs later to contain email addresses and other ephemeral info after it.

Huh? The primary user ID can be arbitrarily changed. That is how it is
intended to work.
 
> It'd be a shame to get plenty of signatures on a single-UID key and have
> your ISP go tits-up.  

Yes, it would be. But those signatures certainly are not valid if the
email address is not valid, because they are asserting that the email
address and name (together: UID) belongs to the owner of said key.



__

L. Sassaman

System Administrator                |  
Technology Consultant               |  "Common sense is wrong." 
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |    --Practical C Programming







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5W8v/PYrxsgmsCmoRAvzMAKCkdVyfH1IGyxK64bayAeDmHkELcgCgpbHc
JzN9pWMDFOC34wvYaafEPUE=
=qQOt
-----END PGP SIGNATURE-----



More information about the Gnupg-devel mailing list