E-Mail Encryption: Why Isn't Everyone Doing It?

David Shaw dshaw@jabberwocky.com
Tue Oct 29 13:19:01 2002

On Tue, Oct 29, 2002 at 09:44:31AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> I'd propose that the CA-bot only sign userids with *only* the email
> address, to make it clear that no binding between email address and any
> real name is confirmed. But I wouldn't recommend requiring any special
> comment on the userid - the userid should be usable to collect other
> signatures on it as well.

The comment I was referring to would be on the CA-bot key itself to
help make the purpose of the key clear.  The comment is not on the key
that is being signed.  The Thawte system added user IDs to the signed
key which I always thought was really ugly.

> > One gotcha we can avoid, if there are multiple levels of certification
> > in the future, is to use a different signing key for each.  That way
> > users can trust the signing key for the exact service they want.  I
> > understand Thawte got this detail wrong when they set up their PGP
> > signing service.
> I'd prefer multiple signing keys over the 0x[123] signature thing, too.
> The default userid of the key should make it clear which certification
> was issued.

I'm planning (if I do this) on using them all together (0x11, policy
URL, a comment on the signing key, and a different key for each sort
of certification).  It's the only way to really work well across
multiple OpenPGP implementations.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson