A question about verifying keys
Werner Koch
wk at gnupg.org
Fri Dec 19 12:13:26 CET 2008
On Fri, 19 Dec 2008 11:26, jamesd at jml.net said:
> Is a signed e-mail containing a fingerprint equivalent to signing a key?
No, it is different:
* If you sign a key, you actually sign the concatenation of a key and
a user ID.
* If you sign a file with a fingerprint you merely sign the key.
Thus in the latter case there is no way to check whether the key belongs
to a certain user ID. Of course if you sign a file with a content like:
pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
Key fingerprint = 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367
uid Werner Koch <wk at gnupg.org>
both methods are equivalent. However, this manual verification process
is more error prone than having gpg do that for you.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list