Matching a key with other emails

Neil Williams linux at codehelp.co.uk
Mon Nov 17 18:46:07 CET 2003 

On Monday 17 Nov 2003 3:59 pm, Parabola wrote:
> Hi,
>
> Some people in my keyring send and receive emails using multiple
> addresses (say, name at isp.com and name at hotmail.com) but each one of them
> just keep one keep key which only maps to one of the addresses (say,
> name at isp.com). Now every time I'm sending / replying mails to their
> secondary addresses (name at hotmail.com), my mail client (Mozilla +
> Enigmail) will complain that it doesn't know name at hotmail.com and I have
> to manually select the key that maps to name at isp.com.
>
> Assume that I can't get them to add them secondary address to their

(Devil's Advocate mode)
Then how can you be sure it is the same person? It could be a properly signed 
message coming from a dubious account using a compromised key! Your nicely 
encrypted reply (seeing as GnuPG only asks for a receiving key when 
encrypting, not signing) could be going to the wrong person entirely!

GnuPG can't tell the difference, even if you might. Hotmail is hardly going to 
help you confirm it is the same person. The whole point of the web-of-trust 
is that it is easy to setup these secondary UID's, each one can be signed 
individually and it provides a level of trust in not just the key but the 
email account and the physical person. You really should reconsider 
encrypting to an account that is untrusted. (That's what GnuPG is trying to 
tell you via Enigmail.)

It's up to the key owner to amend the key, GnuPG can't assume that something 
can be trusted when it's just as possible to be a compromised key.

> keys, is it possible for me to tell my GPG that "hey! mails sending to
> name at hotmail.com should be using key that name at isp.com key!)?

Without verification by the person concerned, how can you be sure? If you've 
got partial verification (he says it's OK), why won't that person do it 
properly?


-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20031117/7305473b/attachment.bin

More information about the Gnupg-users mailing list