GnuPG asks for confirmation...
laurent.jumet at skynet.be
Thu Jun 1 10:44:27 CEST 2006
Sven Radde <sven at radde.name> wrote:
>>> But this is logical, isn't it?
>>> You don't trust a key (what's there to trust?). You trust the fact that
>>> *a certain key belongs to a certain user-id* and if new ids are added,
>>> you would have to think again if the owner of the key actually owns that
>> Of course, he owns.
>> It's impossible to add or revoque a UserID without the SecretKey.
>> No matter if I add an UserID to my Key: it's the same Key.
> Trust is not about owning the key. It is about owning the *user-id* and
> in particular linking a user-id (= a real person) to a key.
> In other words: Who would prevent you from adding "sven at radde.name" as a
> user-id to your key? (Or, creating a new key with that user-id.)
> Still, as nobody would believe that my email-address belongs to your key
> (i.e. that new user-id on your key is not trusted by anyone), my emails
> would not get encrypted to your key. People would approach me (my
> user-id) for verification of the key's fingerprint and I could deny that
> the key belongs to me / my user-id.
You are right.
But what I noticed is this:
Let's suppose your Key has 4 UserID's and all fully trusted.
You add one UserID more "Winston Churchill".
All 4 previous UserID's are compromised too, at the moment you added another one.
That's what *I think* I noticed.
More information about the Gnupg-users