export single UID of a key
David Shaw
dshaw@jabberwocky.com
Tue Apr 8 20:45:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote:
> For e-mail validation after keysignings there are basically two methods:
>
> 1. Send a challenge in an encrypted mail to each UIDs e-mail address and
> wait for the decrypted answers before you sign.
>
> 2. Sign only one UID and send it in an encrypted mail to this UID's mail
> address.
> Do this for every UID in a key seperately.
> Do _not_ keep these signatures in your normal keyring.
> If the key owner uploads the signatures to the keyservers he prooves that
> he owns the secret key. You get your signature back via '--refresh-keys'.
Note that this doesn't really give you what you want in all cases.
OpenPGP keys are usually made up of a primary signing key and a number
of secondary encryption keys. There are other combinations, but that
is by far the most common.
Anyway, when you sign a key, you are actually signing the primary key
plus the user ID. If you follow #2 above, you are actually sending
the signed key to an entity that may or may not control the signing
key - in effect, signing something without strong proof that the
recipient actually "owns" that key.
There are cases where this isn't a problem (a PGP 2.x key, or a
sign+encrypt primary key), but the common case is a problem.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+kxjj4mZch0nhy8kRApsfAKCVpL38CtVPG+ykEzGzsMgVh9+e7wCfeOh+
WjipoAskAIvsHxFBi1pvEI4=
=IXGz
-----END PGP SIGNATURE-----