Signing Keys w/ Multiple User IDs

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue Jul 30 10:40:01 2002


--=-6cRw8t7zwZU6FdE7o2dc
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2002-07-30 at 04:24, David Shaw wrote:

[which uid to sign?]

> In the specific case you mention (a key used to verify a software
> package), it does not matter.  This is because in this case, the key
> is located by its key ID and not a particular user ID.  Signing one or
> all of the user IDs will have the same function of trusting the key.

Summarized (please correct me if I'm wrong):

If you're encrypting, key lookup is per userid, so it matters which uid
you signed.
If you're verifying signatures, key lookup is per keyid, because the
signature does not store any 'signer' userid.

I've had a lengthy discussion about what a userid - and a signature on a
userid - exactly means (especially because userid is really limited to
e-mail [1]) and would be interested to know if the trust model will get
some reworking in the future (g10 Code lists reworking the trust model
on their TODO list...)

cheers
-- vbi

--=20
secure email with gpg                         http://fortytwo.ch/gpg

--=-6cRw8t7zwZU6FdE7o2dc
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA9RlE5wj49sl5Lcx8RArbFAJ9JjQRj6H1NBo1pgut7PTDXePeXtACdHXCa
dPLwVS7NqhbBVj/GSlaza4M=
=KnUU
-----END PGP SIGNATURE-----

--=-6cRw8t7zwZU6FdE7o2dc--