A question about verifying keys
wk at gnupg.org
Fri Dec 19 12:13:26 CET 2008
On Fri, 19 Dec 2008 11:26, jamesd at jml.net said:
> Is a signed e-mail containing a fingerprint equivalent to signing a key?
No, it is different:
* If you sign a key, you actually sign the concatenation of a key and
a user ID.
* If you sign a file with a fingerprint you merely sign the key.
Thus in the latter case there is no way to check whether the key belongs
to a certain user ID. Of course if you sign a file with a content like:
pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
Key fingerprint = 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367
uid Werner Koch <wk at gnupg.org>
both methods are equivalent. However, this manual verification process
is more error prone than having gpg do that for you.
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users