Signing a key (meaning)

Jan Janka takethebus at
Sat Apr 9 00:02:14 CEST 2011

>> I wonder how I can check whether the email
>>address in the ID realy belongs to the keyowner.

>You can only check whether the key owner "has access"
>to the email address. You cannot check whether this
>access is in any way exclusive, legit or whatever.

I think so, but WHAT benefit (concerning the identity) do you have from knowing that the person who owns the private key *has access* to the email address mentioned in that key ID? Remember that we do the whole fingerprint checking, because we believe it might very well be there's a man in the middle or that an attacker has access to the email address.

I think there's no benefit, because everybody who issueses a key (even an attacker) wants to receive information encrypted with that key, - otherwise he wouldn't issue it. Thus he will place an email address in the ID he has access to. So I think we can take this for granted.

The reason why the email address is in the user ID is for convenience (so everybody knows where to send emails) and makes sure keys can be easily found on the keyserver. Apart from that it enables user to distinguished between keys of persons with the same name.

Thanks for answers, 

More information about the Gnupg-users mailing list