Delete key from keyserver

Alex Mauer hawke at hawkesnest.net
Wed Oct 26 19:26:31 CEST 2005 

David Shaw wrote:

>>>Some people
>>>will not sign such a user ID though, 
> 
> It's not an issue of improving the trust, it's an issue of
> disambiguation.  

Right, so why is it any better to have a key with:
0x99242560 David Shaw <dshaw at jabberwocky.com>

than to have
0x99242560 David Shaw
0x99242560 dshaw at jabberwocky.com
(two UIDs)

You still have the same level of disambiguation.  Why would someone be
unwilling to sign the one, but willing to sign the other?

> Questionable usefulness *in practice*, I said.  In practice, one of
> the major uses for GPG is email, and mail clients tend to look for
> keys by email address.  It's a email client design issue, not a
> cryptographic issue.

Yes, a key without any UID containing an email address is of
questionable usefulness.  Agreed.

> My key has both my name and
> email address, and I don't want people signing just one.

But if they can only prove one part of the data to their satisfaction,
why should they not sign only that part?

> Give a challenge cookie to the person when you meet them, and ask them
> for it in the email challenge.  It proves that the person who is
> responding to your mail is either the physical person you met, or is
> at least in communication with them.

"In communication with them" is not good enough for the level of trust
that these checks imply.  Besides, the scenario I described already
implies that they must be in communication.

But it's really irrelevant to the original point, which is that in many
cases, the real name doesn't matter; only the email address/key does.
"If I know a person only by email, then that email *is* the person to
me."  In that case, if the email is trusted, then the name on the UID is
irrelevant.  I might be willing to trust that key ID 0x99242560 really
is used by the holder of email dshaw at jabberwocky.com, but not that the
person in question really is named David Shaw. ... and in most cases, I
probably don't really care about the real name of the keyholder, only
about the email address.  So why should I have to sign both in order to
declare this trust?
-- 
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 382 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051026/84e6165d/signature.pgp

More information about the Gnupg-users mailing list