Delete key from keyserver
hawke at hawkesnest.net
Wed Oct 26 03:50:11 CEST 2005
David Shaw wrote:
> Some people (myself included) check both before signing. The name via
> some sort of formal ID, and the email via a mail challenge.
As do I, at least for a level 3 signature.
> Still, if you don't want to bind both tokens together, just create an
> user ID of <hawke at hawkesnest.net> without the name attached or a user
> ID of "Alex Maurer" without the email address attached.
I understand that it's possible to do this. I was just lamenting the
fact that it is very strongly discouraged by GnuPG:
Name must be at least 5 characters long
> Some people
> will not sign such a user ID though,
I don't understand why. If you trust the association of the Name and
key, how/why would having an email address in there as well improve the
> and at least the name-only one is
> of questionable usefulness in practice.
If it's of questionable usefulness, then having the name there at all is
of questionable usefulness, and so is the verification of documents.
Theoretically, the point of a physical meeting is:
* Physical person linked by photo ID to name.
* Name linked to key by the key field "Real Name"
? Possibly Physical person linked to photo uid by appearance.
Any verification of the email is a totally independent operation,
linking the email address and the key, but not the name with the email
address. Why should the signature connect them?
I could make a conventionally-UIDed new key with a friend's name and a
new email address, and he could meet with you and you could verify all
his official documents, but it would prove nothing about the email
address. Then you could verify the email address with your challenge
method of choice, and it would confirm that the recipient of the mail
could use the key. The end result would be a key that had an invalid
association between the name and the email address.
Not that this cannot be done even if the name and email address are
separate entities, but at least it becomes more obvious. And UIDs
wouldn't have to contain every combination of name and email address.
Anyway, the point of this rather long-winded bit is that it should be
possible to only sign the email if that's all that has been verified, or
only sign the name if that's all that's been verified.
-Alex Mauer "hawke"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051025/f645b6a3/signature.pgp
More information about the Gnupg-users