Matching a key with other emails
Neil Williams
linux at codehelp.co.uk
Mon Nov 17 18:46:07 CET 2003
On Monday 17 Nov 2003 3:59 pm, Parabola wrote:
> Hi,
>
> Some people in my keyring send and receive emails using multiple
> addresses (say, name at isp.com and name at hotmail.com) but each one of them
> just keep one keep key which only maps to one of the addresses (say,
> name at isp.com). Now every time I'm sending / replying mails to their
> secondary addresses (name at hotmail.com), my mail client (Mozilla +
> Enigmail) will complain that it doesn't know name at hotmail.com and I have
> to manually select the key that maps to name at isp.com.
>
> Assume that I can't get them to add them secondary address to their
(Devil's Advocate mode)
Then how can you be sure it is the same person? It could be a properly signed
message coming from a dubious account using a compromised key! Your nicely
encrypted reply (seeing as GnuPG only asks for a receiving key when
encrypting, not signing) could be going to the wrong person entirely!
GnuPG can't tell the difference, even if you might. Hotmail is hardly going to
help you confirm it is the same person. The whole point of the web-of-trust
is that it is easy to setup these secondary UID's, each one can be signed
individually and it provides a level of trust in not just the key but the
email account and the physical person. You really should reconsider
encrypting to an account that is untrusted. (That's what GnuPG is trying to
tell you via Enigmail.)
It's up to the key owner to amend the key, GnuPG can't assume that something
can be trusted when it's just as possible to be a compromised key.
> keys, is it possible for me to tell my GPG that "hey! mails sending to
> name at hotmail.com should be using key that name at isp.com key!)?
Without verification by the person concerned, how can you be sure? If you've
got partial verification (he says it's OK), why won't that person do it
properly?
--
Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20031117/7305473b/attachment.bin
More information about the Gnupg-users
mailing list