How trust works in gpg...

David Shaw dshaw at
Tue Apr 15 19:37:52 CEST 2008

On Tue, Apr 15, 2008 at 02:13:51PM +0200, Stan Tobias wrote:
> Herbert Furting wrote:
> > If the new UID just contains a new email address, you should really
> > check if the keyholder "controlls" that email address.
> > You can do so, by sending him an encrypted challenge.
> [another newbie here]
> I don't understand this.  If a public key has a UID1, which I already
> trust, and a new UID2 is added, why can't I infer trust for the new uid?
> My reasoning goes: UID1 is signed by its owner's private key, and I chose
> to trust it (directly, or through others' sigs).  When new UID2 is added,
> it must be also signed by the same private key, which is connected to
> UID1, which I trust belongs to the person it says it belongs to.  So the
> only person that could have added UID2 is the one that is in control of
> UID1 (supposedly, it's the same person).  Why is there a need to check
> anything?

Because of the word "supposedly" in your question above :) You don't
really *know* that UID2 refers to the same real-world person as UID1
without checking.

Now, if UID1 is "David Shaw", and UID2 is "Dave Shaw" (and the email
address is the same for both), you can probably sign UID2 without too
much worry.  But if UID1 is "John Smith <john at>" and UID2
is "Bill Smith <bill at>", you need to ask some questions
before signing UID2.


More information about the Gnupg-users mailing list