Several questions as feedback on gnupg

Ingo Klöcker
Thu Jan 24 21:38:02 2002

Hash: SHA1

On Thursday 24 January 2002 02:53, Mike Touloumtzis wrote:
> I can't see how getting my key from a keyserver is any safer than
> getting a "specially prepared key" from me.  I can upload whatever I
> want to the keyservers.  Can you explain why you believe downloading
> from the keyservers is safer?  Is there material which is relevant to
> the signing process, not covered by the fingerprint, and not visible
> in the UID?

If you upload your key to a keyserver everyone can get it from there. 
Therefore it would be much more dangerous for you to upload a key with 
a wrong UID.
OTOH, if you send me your key and I send the signed key back to you then 
it's just me who knows about this key. And then you could add a 
malicious UID and probably trick my non-OpenPGP-understanding friends 
into signing it because I signed your key. And if I trusted my friends 
maybe marginally (which I obviously should better not) you could 
achieve that your malicious UID was valid for me. Of course this 
example is very hypothetical. So it doesn't really matter much how I 
get you key.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see