trust your corporation for keyowner identification?

MFPA expires2013 at
Mon Nov 4 17:02:00 CET 2013

Hash: SHA512


On Sunday 3 November 2013 at 2:08:15 AM, in
<mid:5275B00F.7030404 at>, Paul R. Ramer wrote:

> When you verify a key to sign you are verifying the following:

> 1) For each UID, that the name is correct and that the
> purported owner has control of the email in that UID
> (possibly also verifying the comment if it contains
> something such as "CEO ABC Corporation"). 2) That the
> purported owner has control of the key and can decrypt
> and sign messages.

> For #1, it is possible that the user has no name or
> email address in the UID(s).  Either way, you need to
> verify the details of the UIDs that you intend to sign.
> For #2, you need to verify the key fingerprint,
> algorithm, and key size (but the fingerprint at a
> minimum) and then have the user demonstrate that he can
> decrypt a message encrypted with the key in question
> and also sign with it.  This can be done by sending a
> message of unknown content (from the purported key
> owner's perspective) to him to each email that he
> claims to have in each of his UIDs (provided he has
> any) and require him to reply with a signed copy of the
> decrypted message.  This serves to verify the control
> of the key and the email addresses.

Why do we need to establish they can also sign? Isn't it enough to
demonstrate they control the email address and can decrypt, by signing
one UID at a time and sending that signed copy of the key in an
encrypted email to the address in that UID?

And as an aside, does it really make a difference to only sign some
UIDs and not others? Does GnuPG actually take account of which UIDs
are signed in its validity or trust calculations?

- --
Best regards

MFPA                    mailto:expires2013 at

Life is far too important a thing ever to talk seriously about


More information about the Gnupg-users mailing list