How trust works in gpg...

Sven Radde email at sven-radde.de
Tue Apr 15 16:05:45 CEST 2008


Peter Lewis schrieb:
>> Because you do not know whether the owner of UID1 is also the owner of
>> UID2.
>>
>> Let's say, someone trusts my key and my user-id on that key.
>> Now, I add another ID: "Stan Tobias <sttob at mailshack.com>"...
>> No good idea to trust that without checking, is it?
>>     
> But isn't that the point of signing new UID's with the original one?
>   
You don't sign with a UID. You always sign with a private key.
Signing a new UID with the same key that was used to sign another UID 
proves that the same person that created the first UID created the 
second one.
It does not prove that the person controls (or, is identified by) the 
second UID.

As I said before: If you trust my key, I could simply add "Stan Tobias 
<sttob at mailshack.com>" as UID to my key.
If this new UID was trusted immediately, you would use *my* key to 
encrypt emails intended to go to Stan..!

The crucial thing is connecting the person identified by a UID with a 
private key.
This is what is meant by "trust" in a UID and in OpenPGP, this trust is 
expressed by signing the UID with your key.

cu, Sven



More information about the Gnupg-users mailing list