keysigning ?= UIDsigning

L. Sassaman
Thu, 29 Jun 2000 15:21:44 -0700 (PDT)

Hash: SHA1

On Wed, 28 Jun 2000, Chad Miller wrote:

> On Wed, Jun 28, 2000 at 07:34:24PM -0400, Billy Donahue wrote:
> > You accumulate signatures on your UID+key, not the key itself.
> > A signature asserts a relation of a UID to the key.
> ...but a fingerprint or keyid doesn't assert UID at all. So, when you're
> at a keysigning party, you should demand the UID as well?
Yes. And then you send a "teset message" to that UID to confirm that it is owned by the proper person.
> Hmmm. I think I agree with this, but I suggest a change to the docs to
> add as the primary UID only information that should never change, and add
> UIDs later to contain email addresses and other ephemeral info after it.
Huh? The primary user ID can be arbitrarily changed. That is how it is intended to work.
> It'd be a shame to get plenty of signatures on a single-UID key and have
> your ISP go tits-up.
Yes, it would be. But those signatures certainly are not valid if the email address is not valid, because they are asserting that the email address and name (together: UID) belongs to the owner of said key. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger:// | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5W8v/PYrxsgmsCmoRAvzMAKCkdVyfH1IGyxK64bayAeDmHkELcgCgpbHc JzN9pWMDFOC34wvYaafEPUE= =qQOt -----END PGP SIGNATURE-----