Matching a key with other emails
parabola at ozemail.com.au
Wed Nov 19 00:33:01 CET 2003
Neil Williams wrote:
> On Monday 17 Nov 2003 3:59 pm, Parabola wrote:
>>Some people in my keyring send and receive emails using multiple
>>addresses (say, name at isp.com and name at hotmail.com) but each one of them
>>just keep one keep key which only maps to one of the addresses (say,
>>name at isp.com). Now every time I'm sending / replying mails to their
>>secondary addresses (name at hotmail.com), my mail client (Mozilla +
>>Enigmail) will complain that it doesn't know name at hotmail.com and I have
>>to manually select the key that maps to name at isp.com.
>>Assume that I can't get them to add them secondary address to their
> (Devil's Advocate mode)
> Then how can you be sure it is the same person? It could be a properly signed
> message coming from a dubious account using a compromised key! Your nicely
> encrypted reply (seeing as GnuPG only asks for a receiving key when
> encrypting, not signing) could be going to the wrong person entirely!
1) I know this guy in person.
2) I know this guy is using the address name at isp.com.
3) I know this guy has an additional address name at hotmail.com. (Ok,
hotmail might be a bad example. Let's say, his secondary address is
name at isp2.com.)
> GnuPG can't tell the difference, even if you might. Hotmail is hardly going to
> help you confirm it is the same person. The whole point of the web-of-trust
> is that it is easy to setup these secondary UID's, each one can be signed
> individually and it provides a level of trust in not just the key but the
> email account and the physical person. You really should reconsider
> encrypting to an account that is untrusted. (That's what GnuPG is trying to
> tell you via Enigmail.)
> It's up to the key owner to amend the key, GnuPG can't assume that something
> can be trusted when it's just as possible to be a compromised key.
I absolutely agree with u that HE should be the one to fix this... but
hey! If u can't move building, will u just sit there and complain about
it? Or would u actually try to walk around it? =)
More information about the Gnupg-users