How trust works in gpg...
Sven Radde
email at sven-radde.de
Tue Apr 15 16:05:45 CEST 2008
Peter Lewis schrieb:
>> Because you do not know whether the owner of UID1 is also the owner of
>> UID2.
>>
>> Let's say, someone trusts my key and my user-id on that key.
>> Now, I add another ID: "Stan Tobias <sttob at mailshack.com>"...
>> No good idea to trust that without checking, is it?
>>
> But isn't that the point of signing new UID's with the original one?
>
You don't sign with a UID. You always sign with a private key.
Signing a new UID with the same key that was used to sign another UID
proves that the same person that created the first UID created the
second one.
It does not prove that the person controls (or, is identified by) the
second UID.
As I said before: If you trust my key, I could simply add "Stan Tobias
<sttob at mailshack.com>" as UID to my key.
If this new UID was trusted immediately, you would use *my* key to
encrypt emails intended to go to Stan..!
The crucial thing is connecting the person identified by a UID with a
private key.
This is what is meant by "trust" in a UID and in OpenPGP, this trust is
expressed by signing the UID with your key.
cu, Sven
More information about the Gnupg-users
mailing list