keysigning ?= UIDsigning

Billy Donahue
Wed, 28 Jun 2000 19:34:24 -0400 (EDT)

Hash: SHA1

On Wed, 28 Jun 2000, Chad Miller wrote:

> I had an aquaintence ``sign my key'' and I '--import'ed the key he
> mailed back to me.
> Since the time I delivered my key to him, I deleted the UID and created
> another with a comment in it.
> The import noted the addition of a UID and a signature, and when I
> list my signatures, I note that his signature is attached to the one
> I previously removed.
> It seems that if I remove the UID, the signature is removed. I'm
> surprised.
> What happens if you change ISPs or names? Must one get all signers of
> your UID to resign the new UID?
Absolutely... If I get Abe Lincoln, Martin Luthur King, and Gandhi to sign <> to my key, and then pull a switcheroo to make that a key for <>, I shouldn't be able to use their signatures to help me pull off such a fraud. That's not what they signed...
> Feature or bug?
Feature! You accumulate signatures on your UID+key, not the key itself. A signature asserts a relation of a UID to the key. See, this prevents someone from removing the uid, reinserting their own, and having the key maintain the same trust level with your friends.. If a UID changes, then the signatures attaching that UID to the key have to be discarded. - -- "The Funk, the whole Funk, and nothing but the Funk." Billy Donahue <> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Made with pgp4pine 1.75 iD8DBQE5WouB+2VvpwIZdF0RAg/wAJsEqwQZCITEf5uwrDMhxTow/X8zwwCggjZ3 Q/tr60EY2aRuKU1TZW82fMQ= =7+WE -----END PGP SIGNATURE-----