export single UID of a key
Michael Nahrath
gnupg-users@nahrath.de
Wed Apr 9 02:52:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Shaw <dshaw@jabberwocky.com> schrieb am 2003-04-09 00:00:
>>>> 2. Sign only one UID and send it in an encrypted mail to this UID's mail
>>>> address.
>>>> Do this for every UID in a key seperately.
>>>> Do _not_ keep these signatures in your normal keyring.
>>>> If the key owner uploads the signatures to the keyservers he prooves that
>>>> he owns the secret key. You get your signature back via '--refresh-keys'.
>>>
>>> Note that this doesn't really give you what you want in all cases.
>> Pure Certification keys or UIDs without e-mail address can't be checked that
>> way -- but they can't be checked with an encrypted chelange either.
>
> So don't encrypt the challenge. Encrypting the challenge doesn't buy
> you any additional security. You don't need confidentiality here -
> you need identity confirmation.
OK, that is the point!
I guess I was not alone in the misunderstanding, that the main validation
feature in the callange was the ability to _decrypt_ the callenge-cookie.
Thank you for clearing this!
>> AFAIKS the signatures are only detached to the UID parts, at least this is
>> how GPG and the keyservers display it.
>
> Nevertheless, you are signing the primary key plus the user ID. It
> doesn't matter how programs display it for human consumption.
How does this fit to the fact that trust to a (primary-) key gets lost if a
user ID is revoked?
Is there any mechanism to sign somebody else's primary key without signing
any of his UIDs?
> You are signing the primary key... but giving someone with access to
> only the decryption key the ability to use your signature. Signing A,
> but giving B access to it. A and B are not necessarily the same
> person.
Maybe this a bit overparanoid two days after a keysigning party where each
of the key owners presented his/her idendity and key-data in person.
Many people find this alone enough to sign keys. E-mail validation is only
be an extra-bonus.
But I understand that technical security is not about probability but about
(even theoretical) possibility ;-)
> By using a challenge, you are signing A, and requiring proof that the
> entity controls A.
I underestimated again, that the signing key is "the key" and all
encryption/decription is secondary (sub-*) to it.
thanks for the advice,
greeting, Michi
P.S.: Anyway I am still interested if there is a way to sign, delet and
export single UIDs without using the --edit-key shell.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (Darwin)
Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C
iEYEARECAAYFAj6TbscACgkQ19dRf5pMcEwTQQCeIDQ82NyIU7X0zSW1YeABl3no
b3sAn2BItgI75tH+4i7I0tYIxJqMjf7C
=wYR3
-----END PGP SIGNATURE-----