keysigning ?= UIDsigning
Wed, 28 Jun 2000 19:34:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 28 Jun 2000, Chad Miller wrote:
> I had an aquaintence ``sign my key'' and I '--import'ed the key he
> mailed back to me.
> Since the time I delivered my key to him, I deleted the UID and created
> another with a comment in it.
> The import noted the addition of a UID and a signature, and when I
> list my signatures, I note that his signature is attached to the one
> I previously removed.
> It seems that if I remove the UID, the signature is removed. I'm
> What happens if you change ISPs or names? Must one get all signers of
> your UID to resign the new UID?
Absolutely... If I get Abe Lincoln, Martin Luthur King, and
Gandhi to sign <firstname.lastname@example.org> to my key, and then pull a
switcheroo to make that a key for <email@example.com>, I
shouldn't be able to use their signatures to help me pull off
such a fraud. That's not what they signed...
> Feature or bug?
You accumulate signatures on your UID+key, not the key itself.
A signature asserts a relation of a UID to the key.
See, this prevents someone from removing the uid,
reinserting their own, and having the key maintain the same trust level
with your friends.. If a UID changes, then the signatures attaching
that UID to the key have to be discarded.
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:firstname.lastname@example.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75
-----END PGP SIGNATURE-----