keysigning ?= UIDsigning
Billy Donahue
billy@dadadada.net
Wed, 28 Jun 2000 19:34:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 28 Jun 2000, Chad Miller wrote:
> I had an aquaintence ``sign my key'' and I '--import'ed the key he
> mailed back to me.
>
> Since the time I delivered my key to him, I deleted the UID and created
> another with a comment in it.
>
> The import noted the addition of a UID and a signature, and when I
> list my signatures, I note that his signature is attached to the one
> I previously removed.
>
> It seems that if I remove the UID, the signature is removed. I'm
> surprised.
>
> What happens if you change ISPs or names? Must one get all signers of
> your UID to resign the new UID?
Absolutely... If I get Abe Lincoln, Martin Luthur King, and
Gandhi to sign <billy@dadadada.net> to my key, and then pull a
switcheroo to make that a key for <bill@whitehouse.gov>, I
shouldn't be able to use their signatures to help me pull off
such a fraud. That's not what they signed...
> Feature or bug?
Feature!
You accumulate signatures on your UID+key, not the key itself.
A signature asserts a relation of a UID to the key.
See, this prevents someone from removing the uid,
reinserting their own, and having the key maintain the same trust level
with your friends.. If a UID changes, then the signatures attaching
that UID to the key have to be discarded.
- --
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:billy@dadadada.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75
iD8DBQE5WouB+2VvpwIZdF0RAg/wAJsEqwQZCITEf5uwrDMhxTow/X8zwwCggjZ3
Q/tr60EY2aRuKU1TZW82fMQ=
=7+WE
-----END PGP SIGNATURE-----