comments on uid

freejack at is-not-my.name freejack at is-not-my.name
Sun Mar 18 19:13:32 CET 2012


> I should note that many people actually *don't* check if the e-mail
> address belongs to the person whose UID they sign. If this were as
> "simple" to prove as it is to prove you have a certain name by showing a
> passport or something, it might be checked more often.

That doesn't sound right. If you can't verify the email shown on the key
belongs to the user what have you accomplished? All you did was tie a key id
to a person (maybe, not sure if you provably accomplished that) but not the
email address. If the purpose of key signing is ultimately to relate
something useful to a person then I think it's more useful to know a certain
person owns a certain email adddress and what his key id is. YMMV.

Passports and other documents are easily forged, just take 100 bucks and sit
on the corner for 10 minutes. Practially, it's probably harder to spoof an
email address. How do you know what his key id is? Couldn't he also forge a
little printout with somebody else's key id, fingerprint, etc and give it to
you along with his passport? I'm sure somebody has thought it all through
but it seems to me the purpose of trusting a key is to bind somebody to an
email address, not just a key ID...sort of like S/MIME that contains the
email address, but without relying on a trusted third party.

> But that's government regulated, unlike e-mail addresses. All you can
> easily prove is that you have access to an e-mail account, which is
> something completely different. Just to begin with: so does your e-mail
> provider.

Not necessarily but even if they did, how do they have access to the key?
I'm just saying 2 pieces of binding information sound better than one.

Wouldn't it be safer to ask the person who wants you to sign his key to mail
you his key id and then you respond with some piece of information he has to
bring when you sign his key, in additional to whatever else you do? 

> If you haven't given the key to anyone (the copy in your own keyring is
> the only copy in existence), you can just add the new UID with adduid and
> then delete the old one with deluid. A key needs at least one UID, 
> so you first need to add a new one before you delete the last and only UID.

Thanks



More information about the Gnupg-users mailing list