Signing Keys w/ Multiple User IDs

Adrian 'Dagurashibanipal' von Bidder
Tue Jul 30 10:40:01 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2002-07-30 at 04:24, David Shaw wrote:

[which uid to sign?]

> In the specific case you mention (a key used to verify a software
> package), it does not matter.  This is because in this case, the key
> is located by its key ID and not a particular user ID.  Signing one or
> all of the user IDs will have the same function of trusting the key.

Summarized (please correct me if I'm wrong):

If you're encrypting, key lookup is per userid, so it matters which uid
you signed.
If you're verifying signatures, key lookup is per keyid, because the
signature does not store any 'signer' userid.

I've had a lengthy discussion about what a userid - and a signature on a
userid - exactly means (especially because userid is really limited to
e-mail [1]) and would be interested to know if the trust model will get
some reworking in the future (g10 Code lists reworking the trust model
on their TODO list...)

-- vbi

secure email with gpg               

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)