How trust works in gpg...

David Shaw dshaw at
Tue Apr 15 22:41:21 CEST 2008

On Tue, Apr 15, 2008 at 09:36:04PM +0200, Herbert Furting wrote:
> On Tue, 2008-04-15 at 14:09 -0400, David Shaw wrote:
> > On Tue, Apr 15, 2008 at 03:10:47PM +0200, Herbert Furting wrote:
> > > To say it short: In my opinion every information that you sign/certify
> > > should be actually validaded.
> > > It probably makes even sense to check if a keyholder specified all of
> > > his given names,... and perhaps one shouldn't sign UIDs like "Geroge
> > > W. Bush" if the W. is an abbreviation, while "Harry S Truman" would be
> > > ok,.. as the S wasn't an abbreviation (iirc).
> > 
> > Not at all (though it is true that the S in Harry Truman's name isn't
> > an abbreviation).
> > 
> > When you sign a UID, you're signing what is there, and not making any
> > statement beyond what is there.  You don't need to insist they spell
> > out all of their names.
> Well I think it's generally better to always use only full names,...
> that helps to prevent collisions like if my name would be "David
> Something Shaw". Of course I say that it only helps,.. it doesn't fully
> solve this.

It is irrelevant to this.  There are a lot of "David Shaw"s in the
world, and it's pointless to try and prevent collisions in a set that
large.  The disambiguation in OpenPGP keys is really the email
address, not the name.


More information about the Gnupg-users mailing list