How trust works in gpg...

Stan Tobias sttob at
Tue Apr 15 14:13:51 CEST 2008

Herbert Furting wrote:
> If the new UID just contains a new email address, you should really
> check if the keyholder "controlls" that email address.
> You can do so, by sending him an encrypted challenge.

[another newbie here]
I don't understand this.  If a public key has a UID1, which I already
trust, and a new UID2 is added, why can't I infer trust for the new uid?
My reasoning goes: UID1 is signed by its owner's private key, and I chose
to trust it (directly, or through others' sigs).  When new UID2 is added,
it must be also signed by the same private key, which is connected to
UID1, which I trust belongs to the person it says it belongs to.  So the
only person that could have added UID2 is the one that is in control of
UID1 (supposedly, it's the same person).  Why is there a need to check

Stan Tobias

[ Apologies to Peter Lewis for sending this post to the wrong address,
  and thank-yous for notifying me. ]

More information about the Gnupg-users mailing list