comments on uid

Faramir at
Sun Mar 18 19:53:38 CET 2012

Hash: SHA256

El 18-03-2012 15:13, freejack at escribió:
>> I should note that many people actually *don't* check if the
>> e-mail address belongs to the person whose UID they sign. If this
>> were as
> That doesn't sound right. If you can't verify the email shown on
> the key belongs to the user what have you accomplished? All you did
> was tie a key id to a person (maybe, not sure if you provably
> accomplished that) but not the email address. If the purpose of key
> signing is ultimately to relate something useful to a person then I
> think it's more useful to know a certain person owns a certain
> email adddress and what his key id is. YMMV.

  Well, I can carry my photo-Id stuff with me to a keysigning party,
but I don't have any document to show I own my email address. Some
people solve that by sending the signed key, encrypted to the
recipient's key, to the email address. If the person doesn't control
the email address, the person won't get the signature. If the email
owner doesn't have the key, then he can't open the signature.

  Some people even adds what it is called a Freeform UID, which
carries Name, Comment, but no email address, that way, if they change
their email provider, signatures collected on that UID won't be lost
(you should revoke the UIDs that include an email address you no
longer can use).

> Passports and other documents are easily forged, just take 100
> bucks and sit

  Well, that depends on the technology used to make the passports.

> you along with his passport? I'm sure somebody has thought it all
> through but it seems to me the purpose of trusting a key is to bind
> somebody to an email address, not just a key ID...sort of like
> S/MIME that contains the email address, but without relying on a
> trusted third party.

  That depends on what do you want to achieve. Some people wants to
know which is the real key of a person (binding the key to a name),
some others want to make sure they are sending stuff to the right
person, but don't care about who is that person (they bind the key to
an email address, or to a nickname). That is the good (and for some
people, the bad) thing about OpenPGP, your signatures have the meaning
you want them to have...

   Best Regards
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list