Matching a key with other emails

Parabola parabola at ozemail.com.au
Wed Nov 19 00:33:01 CET 2003


Neil Williams wrote:
> On Monday 17 Nov 2003 3:59 pm, Parabola wrote:
> 
>>Hi,
>>
>>Some people in my keyring send and receive emails using multiple
>>addresses (say, name at isp.com and name at hotmail.com) but each one of them
>>just keep one keep key which only maps to one of the addresses (say,
>>name at isp.com). Now every time I'm sending / replying mails to their
>>secondary addresses (name at hotmail.com), my mail client (Mozilla +
>>Enigmail) will complain that it doesn't know name at hotmail.com and I have
>>to manually select the key that maps to name at isp.com.
>>
>>Assume that I can't get them to add them secondary address to their
> 
> 
> (Devil's Advocate mode)
> Then how can you be sure it is the same person? It could be a properly signed 
> message coming from a dubious account using a compromised key! Your nicely 
> encrypted reply (seeing as GnuPG only asks for a receiving key when 
> encrypting, not signing) could be going to the wrong person entirely!

Because:
1) I know this guy in person.
2) I know this guy is using the address name at isp.com.
3) I know this guy has an additional address name at hotmail.com. (Ok, 
hotmail might be a bad example. Let's say, his secondary address is 
name at isp2.com.)

> GnuPG can't tell the difference, even if you might. Hotmail is hardly going to 
> help you confirm it is the same person. The whole point of the web-of-trust 
> is that it is easy to setup these secondary UID's, each one can be signed 
> individually and it provides a level of trust in not just the key but the 
> email account and the physical person. You really should reconsider 
> encrypting to an account that is untrusted. (That's what GnuPG is trying to 
> tell you via Enigmail.)
> 
> It's up to the key owner to amend the key, GnuPG can't assume that something 
> can be trusted when it's just as possible to be a compromised key.

I absolutely agree with u that HE should be the one to fix this... but 
hey! If u can't move building, will u just sit there and complain about 
it? Or would u actually try to walk around it? =)

Regards,

Parabola




More information about the Gnupg-users mailing list