export single UID of a key

Michael Nahrath gnupg-users@nahrath.de
Wed Apr 9 02:52:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shaw <dshaw@jabberwocky.com> schrieb am 2003-04-09 00:00:

>>>> 2. Sign only one UID and send it in an encrypted mail to this UID's mail
>>>> address.
>>>> Do this for every UID in a key seperately.
>>>> Do _not_ keep these signatures in your normal keyring.
>>>> If the key owner uploads the signatures to the keyservers he prooves that
>>>> he owns the secret key. You get your signature back via '--refresh-keys'.
>>> 
>>> Note that this doesn't really give you what you want in all cases.

>> Pure Certification keys or UIDs without e-mail address can't be checked that
>> way -- but they can't be checked with an encrypted chelange either.
> 
> So don't encrypt the challenge.  Encrypting the challenge doesn't buy
> you any additional security.  You don't need confidentiality here -
> you need identity confirmation.

OK, that is the point!

I guess I was not alone in the misunderstanding, that the main validation
feature in the callange was the ability to _decrypt_ the callenge-cookie.

Thank you for clearing this!
 
>> AFAIKS the signatures are only detached to the UID parts, at least this is
>> how GPG and the keyservers display it.
> 
> Nevertheless, you are signing the primary key plus the user ID.  It
> doesn't matter how programs display it for human consumption.

How does this fit to the fact that trust to a (primary-) key gets lost if a
user ID is revoked?
Is there any mechanism to sign somebody else's primary key without signing
any of his UIDs? 
 
> You are signing the primary key... but giving someone with access to
> only the decryption key the ability to use your signature.  Signing A,
> but giving B access to it.  A and B are not necessarily the same
> person.

Maybe this a bit overparanoid two days after a keysigning party where each
of the key owners presented his/her idendity and key-data in person.
Many people find this alone enough to sign keys. E-mail validation is only
be an extra-bonus.

But I understand that technical security is not about probability but about
(even theoretical) possibility ;-)
 
> By using a challenge, you are signing A, and requiring proof that the
> entity controls A.

I underestimated again, that the signing key is "the key" and all
encryption/decription is secondary (sub-*) to it.

thanks for the advice,
greeting, Michi

P.S.: Anyway I am still interested if there is a way to sign, delet and
export single UIDs without using the --edit-key shell.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (Darwin)
Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C

iEYEARECAAYFAj6TbscACgkQ19dRf5pMcEwTQQCeIDQ82NyIU7X0zSW1YeABl3no
b3sAn2BItgI75tH+4i7I0tYIxJqMjf7C
=wYR3
-----END PGP SIGNATURE-----