Matching a key with other emails

Parabola parabola at
Wed Nov 19 00:33:01 CET 2003

Neil Williams wrote:
> On Monday 17 Nov 2003 3:59 pm, Parabola wrote:
>>Some people in my keyring send and receive emails using multiple
>>addresses (say, name at and name at but each one of them
>>just keep one keep key which only maps to one of the addresses (say,
>>name at Now every time I'm sending / replying mails to their
>>secondary addresses (name at, my mail client (Mozilla +
>>Enigmail) will complain that it doesn't know name at and I have
>>to manually select the key that maps to name at
>>Assume that I can't get them to add them secondary address to their
> (Devil's Advocate mode)
> Then how can you be sure it is the same person? It could be a properly signed 
> message coming from a dubious account using a compromised key! Your nicely 
> encrypted reply (seeing as GnuPG only asks for a receiving key when 
> encrypting, not signing) could be going to the wrong person entirely!

1) I know this guy in person.
2) I know this guy is using the address name at
3) I know this guy has an additional address name at (Ok, 
hotmail might be a bad example. Let's say, his secondary address is 
name at

> GnuPG can't tell the difference, even if you might. Hotmail is hardly going to 
> help you confirm it is the same person. The whole point of the web-of-trust 
> is that it is easy to setup these secondary UID's, each one can be signed 
> individually and it provides a level of trust in not just the key but the 
> email account and the physical person. You really should reconsider 
> encrypting to an account that is untrusted. (That's what GnuPG is trying to 
> tell you via Enigmail.)
> It's up to the key owner to amend the key, GnuPG can't assume that something 
> can be trusted when it's just as possible to be a compromised key.

I absolutely agree with u that HE should be the one to fix this... but 
hey! If u can't move building, will u just sit there and complain about 
it? Or would u actually try to walk around it? =)



More information about the Gnupg-users mailing list