Robot CA at

Kyle Hasselbacher
Fri Dec 6 17:20:05 2002

Hash: SHA1

On Thu, Dec 05, 2002 at 04:13:38PM +0100, Olaf Gellert wrote:

>Hmmm... The keys you send may find their way to the
>sender on another way (eg postmaster) so it may not
>be enough to verify the email address...

There are lots of ways email can go wrong.  If postmaster forwards the
signed key, maybe my encrypted messages will go through too.  I have the
same problem if someone's email is broken so that every tenth message gets
through.  Not only that, your working email address could go away the day
after I sign the key.  Since all I verify is email addresses, the
signatures are no more reliable than email itself.

>And of course (as mentioned in some other mail) you should
>only sign the uids containing this special email-address.

I do that (if I understand you correctly).  If an email comes in with two
UIDs, then I sign them individually and email them to their respective
addresses.  When the two emails arrive, it's up to the user to merge all
the signatures together.  If one doesn't get through, they don't get that

What's funny is I thought this would be a rare special case when I decided
to handle it.  It turns out, almost everyone who's used the robot has three
UIDs or more.
- -- 
Kyle Hasselbacher
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see