A question about verifying keys

Werner Koch wk at gnupg.org
Fri Dec 19 12:13:26 CET 2008

On Fri, 19 Dec 2008 11:26, jamesd at jml.net said:

> Is a signed e-mail containing a fingerprint equivalent to signing a key?

No, it is different:
* If you sign a key, you actually sign the concatenation of a key and
  a user ID.

* If you sign a file with a fingerprint you merely sign the key.

Thus in the latter case there is no way to check whether the key belongs
to a certain user ID.  Of course if you sign a file with a content like:

  pub   2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
        Key fingerprint = 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
  uid                  Werner Koch <wk at gnupg.org>

both methods are equivalent.  However, this manual verification process
is more error prone than having gpg do that for you.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list