Signing Keys w/ Multiple User IDs
David Shaw
dshaw@jabberwocky.com
Wed Jul 31 21:35:02 2002
On Tue, Jul 30, 2002 at 09:14:13PM -0700, David Scribner wrote:
> --- David Shaw <dshaw@jabberwocky.com> wrote:
> > In the specific case you mention (a key used to verify a software
> > package), it does not matter. This is because in this case, the
> > key is located by its key ID and not a particular user ID. Signing
> > one or all of the user IDs will have the same function of trusting
> > the key.
>
> So if I understand this correctly, if a software tarball has been
> signed by joe@bestestsoftware.com, yet that particular uid (email
> address) is not his primary uid (but still exists on the public
> key), and assuming that only the primary uid (let's say that one is
> dev@bestestsoftware.com) was locally signed by me, the package would
> still return a good signature when verified?
Yes. When a key is selected by key ID, the exact details of user ID
pretty much don't matter. As long as one of the user IDs is fully
trusted, then the key is fully trusted.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson