Signing Keys w/ Multiple User IDs

David Shaw dshaw@jabberwocky.com
Tue Jul 30 04:23:01 2002 

On Mon, Jul 29, 2002 at 07:01:05PM -0700, David Scribner wrote:
> Hello all! I have really enjoyed reading through the
> gnupg-user archives, and have learned a lot from
> everybody on the finer points in using GnuPG, but I
> have a few questions that I've not been able to find
> the answers to in the manual, FAQs or the many
> articles I've read...
> 
> I know that when you're editing a key to attach a
> signature, and that key has more than one user ID
> (email address), you can select the user IDs that you
> want to attach your signature to. My questions are:
> 
> 1.) What benefit does signing multiple user IDs on
> this key provide (to both the keyholder and myself)?

The classic PGP trust model gives trust through user IDs, so when you
"sign a key" you are really signing a user ID on that key.  For
example, if you want to send email to joe@example.com and you have a
valid trust path to Joe, you're all set.  If you want to send mail to
patti@example.com, you might be out of luck, even though Joe and Patti
are two different user IDs on the same key.  In this case, you trust
that Joe is a valid name on the key, and therefore you trust the key,
but Patti is not a valid name, so you don't trust the key.

This is not exactly a common situation, of course. :)

> 2.) When signing another's key where the signature(s)
> are exportable, is it best to attach your signature to
> all user IDs present?

It depends.  Signing more than one user ID means that you vouch for
all of those user IDs.  Do you?

For example, if I was signing a key, and one user ID says "Charles
Dodgson" and the other says "Alice Liddell", I'd probably be
suspicious.  Personally, I email all of the user IDs before signing
them to confirm the mail goes to someone who has access to the secret
key half.

If you vouch for all of the user IDs (names and email addresses), then
by all means sign all of the user IDs.  Not too long ago I signed a
key whose owner had just changed his name.  He showed me evidence of
the name change, so I signed his key.  No big deal.

> 3.) When signing another's key where the signature(s)
> are NOT exportable, such as a key used to verify a
> software package, if this key contains multiple user
> IDs, is it advisable to sign all user IDs on this key,
> or will signing the primary user ID suffice?

In the specific case you mention (a key used to verify a software
package), it does not matter.  This is because in this case, the key
is located by its key ID and not a particular user ID.  Signing one or
all of the user IDs will have the same function of trusting the key.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson