Signing Keys w/ Multiple User IDs

David Scribner dscribner@yahoo.com
Wed Jul 31 06:13:01 2002


--- David Shaw <dshaw@jabberwocky.com> wrote:
> The classic PGP trust model gives trust through user IDs, so
when you
> "sign a key" you are really signing a user ID on that key. For
> example, if you want to send email to joe@example.com and you
have a
> valid trust path to Joe, you're all set.  If you want to send
mail to
> patti@example.com, you might be out of luck, even though Joe
and Patti
> are two different user IDs on the same key.  In this case, you
trust
> that Joe is a valid name on the key, and therefore you trust
the key,
> but Patti is not a valid name, so you don't trust the key.

Thanks David (and Adrian) for your input! Although when I
refered to multiple uids in a key, I was meaning those that
belonged to the same person (ie: user@some-email.com and
sameuser@someother-email.com), as are many times included in an
individual's key. Your explanations, even though they were
exampled with different users holding the uids on the key,
helped clarify it for me quite a bit.

> Personally, I email all of the user IDs before signing them
> to confirm the mail goes to someone who has access to the
> secret key half.

Good point I hadn't really ever considered before. Fortunately I
haven't had a situation where I didn't know if an email address
actually belonged to the keyholder or not (for exportable
signatures), but it's only logical... not sure? Don't sign!

> In the specific case you mention (a key used to verify a
software
> package), it does not matter.  This is because in this case,
the key
> is located by its key ID and not a particular user ID. Signing
one or
> all of the user IDs will have the same function of trusting
the key.

So if I understand this correctly, if a software tarball has
been signed by joe@bestestsoftware.com, yet that particular uid
(email address) is not his primary uid (but still exists on the
public key), and assuming that only the primary uid (let's say
that one is dev@bestestsoftware.com) was locally signed by me,
the package would still return a good signature when verified?

Thanks again guys for all your help!

--Dave

=====
David D. Scribner           Email: dscribner_at_bigfoot.com
IT Consultant & Services      Web: www.bigfoot.com/~dscribner/
Ph: (817) 461-4018           eFax: (630) 214-7769
CompTIA Linux+, Network+, A+ Certified Professional Technician
GnuPG/PGP: 3172 7408 58CA D9C2 F697  950F 9DDC

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com