export single UID of a key

David Shaw dshaw@jabberwocky.com
Tue Apr 8 20:45:02 2003

Hash: SHA1

On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote:

> For e-mail validation after keysignings there are basically two methods:
> 1. Send a challenge in an encrypted mail to each UIDs e-mail address and
> wait for the decrypted answers before you sign.
> 2. Sign only one UID and send it in an encrypted mail to this UID's mail
> address.
> Do this for every UID in a key seperately.
> Do _not_ keep these signatures in your normal keyring.
> If the key owner uploads the signatures to the keyservers he prooves that
> he owns the secret key. You get your signature back via '--refresh-keys'.

Note that this doesn't really give you what you want in all cases.
OpenPGP keys are usually made up of a primary signing key and a number
of secondary encryption keys.  There are other combinations, but that
is by far the most common.

Anyway, when you sign a key, you are actually signing the primary key
plus the user ID.  If you follow #2 above, you are actually sending
the signed key to an entity that may or may not control the signing
key - in effect, signing something without strong proof that the
recipient actually "owns" that key.

There are cases where this isn't a problem (a PGP 2.x key, or a
sign+encrypt primary key), but the common case is a problem.

Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc