keysigning ?= UIDsigning
Thu, 29 Jun 2000 15:21:44 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 28 Jun 2000, Chad Miller wrote:
> On Wed, Jun 28, 2000 at 07:34:24PM -0400, Billy Donahue wrote:
> > You accumulate signatures on your UID+key, not the key itself.
> > A signature asserts a relation of a UID to the key.
> ...but a fingerprint or keyid doesn't assert UID at all. So, when you're
> at a keysigning party, you should demand the UID as well?
Yes. And then you send a "teset message" to that UID to confirm that it is
owned by the proper person.
> Hmmm. I think I agree with this, but I suggest a change to the docs to
> add as the primary UID only information that should never change, and add
> UIDs later to contain email addresses and other ephemeral info after it.
Huh? The primary user ID can be arbitrarily changed. That is how it is
intended to work.
> It'd be a shame to get plenty of signatures on a single-UID key and have
> your ISP go tits-up.
Yes, it would be. But those signatures certainly are not valid if the
email address is not valid, because they are asserting that the email
address and name (together: UID) belongs to the owner of said key.
System Administrator |
Technology Consultant | "Common sense is wrong."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
-----END PGP SIGNATURE-----