export single UID of a key
Tue Apr 8 23:12:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
David Shaw <firstname.lastname@example.org> schrieb am 2003-04-08 20:45:
>> 2. Sign only one UID and send it in an encrypted mail to this UID's mail
>> Do this for every UID in a key seperately.
>> Do _not_ keep these signatures in your normal keyring.
>> If the key owner uploads the signatures to the keyservers he prooves that
>> he owns the secret key. You get your signature back via '--refresh-keys'.
> Note that this doesn't really give you what you want in all cases.
> OpenPGP keys are usually made up of a primary signing key and a number
> of secondary encryption keys. There are other combinations, but that
> is by far the most common.
I am aware of the limitation to key with encryption-subkeys.
Pure Certification keys or UIDs without e-mail address can't bechecked that
way -- but they can't be checked with an encrypted chelange either.
> Anyway, when you sign a key, you are actually signing the primary key
> plus the user ID.
AFAIKS the signatures are only detached to the UID parts, at least this is
how GPG and the keyservers display it.
Is there a difference in the end if I sign all UIDs in one turn or each by
its own (except from differences in signing time)?
> If you follow #2 above, you are actually sending
> the signed key to an entity that may or may not control the signing
> key -
Is it possible that someone owns and uses only the decryption subkey but
not the primary signing key to it?
> in effect, signing something without strong proof that the
> recipient actually "owns" that key.
If the owner of the UID's e-mail doesn't controll the secret key to decrypt
my message the signed key will stay unpacked forever.
After signing and sending it doesn't even exist in my keyring any more.
> There are cases where this isn't a problem (a PGP 2.x key, or a
> sign+encrypt primary key), but the common case is a problem.
Sorry, if there es a basical logical problem I still don't get the point.
At least I don't see the advantage of the chellange method, for it depends
on checking the ability to decrypt an encrypted message as well.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----