comments on uid

Eric H. Christensen eric at
Sun Mar 18 19:40:43 CET 2012

Hash: SHA1

On Sun, Mar 18, 2012 at 06:13:32PM -0000, freejack at wrote:
> > I should note that many people actually *don't* check if the e-mail
> > address belongs to the person whose UID they sign. If this were as
> > "simple" to prove as it is to prove you have a certain name by showing a
> > passport or something, it might be checked more often.
> That doesn't sound right. If you can't verify the email shown on the key
> belongs to the user what have you accomplished? All you did was tie a key id
> to a person (maybe, not sure if you provably accomplished that) but not the
> email address. If the purpose of key signing is ultimately to relate
> something useful to a person then I think it's more useful to know a certain
> person owns a certain email adddress and what his key id is. YMMV.

Just to play devil's advocate there could be a single email address being used for a group of people.  You'd know the message was for you because you have the correct key to open the message while everyone else would be left with a random mess of characters.  Not sure why one would setup such a system, since email addresses are cheap now days, but none the less you could setup something similar.  Although this does make one wonder about hijacking someone's account which means that you'd always want to make sure that you change the authentication to your email accounts regularly lest someone do this to you.  It would, more than likely, be a very targetted attack.

> > But that's government regulated, unlike e-mail addresses. All you can
> > easily prove is that you have access to an e-mail account, which is
> > something completely different. Just to begin with: so does your e-mail
> > provider.
> Not necessarily but even if they did, how do they have access to the key?
> I'm just saying 2 pieces of binding information sound better than one.
> Wouldn't it be safer to ask the person who wants you to sign his key to mail
> you his key id and then you respond with some piece of information he has to
> bring when you sign his key, in additional to whatever else you do? 
> > If you haven't given the key to anyone (the copy in your own keyring is
> > the only copy in existence), you can just add the new UID with adduid and
> > then delete the old one with deluid. A key needs at least one UID, 
> > so you first need to add a new one before you delete the last and only UID.

So CAFF[0] does make key signing a bit more secure although it does not solve the problem completely.  When signing keys with CAFF, the program will create the signatures per UID and then email the specific UID signature to the address on that UID.  The message is encrypted which requires that the receiving party not only have access to the email address but also the key so they can import the signature.  Once they have imported the signature they can upload the updated key to a key server.  That means that if they are only attacking the email from a sending point of view then they wouldn't have access to the key signature.


- -- Eric

- --------------------------------------------------
Eric H Christensen        eric at
"Sparks"                  sparks at
    .... . .-.. .-.. ---  .-- --- .-. .-.. -..
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
Version: GnuPG v2.0.14 (GNU/Linux)


More information about the Gnupg-users mailing list