trust your corporation for keyowner identification?

MFPA expires2013 at ymail.com
Mon Nov 4 17:02:00 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 3 November 2013 at 2:08:15 AM, in
<mid:5275B00F.7030404 at gmail.com>, Paul R. Ramer wrote:


> When you verify a key to sign you are verifying the following:

> 1) For each UID, that the name is correct and that the
> purported owner has control of the email in that UID
> (possibly also verifying the comment if it contains
> something such as "CEO ABC Corporation"). 2) That the
> purported owner has control of the key and can decrypt
> and sign messages.

> For #1, it is possible that the user has no name or
> email address in the UID(s).  Either way, you need to
> verify the details of the UIDs that you intend to sign.
> For #2, you need to verify the key fingerprint,
> algorithm, and key size (but the fingerprint at a
> minimum) and then have the user demonstrate that he can
> decrypt a message encrypted with the key in question
> and also sign with it.  This can be done by sending a
> message of unknown content (from the purported key
> owner's perspective) to him to each email that he
> claims to have in each of his UIDs (provided he has
> any) and require him to reply with a signed copy of the
> decrypted message.  This serves to verify the control
> of the key and the email addresses.

Why do we need to establish they can also sign? Isn't it enough to
demonstrate they control the email address and can decrypt, by signing
one UID at a time and sending that signed copy of the key in an
encrypted email to the address in that UID?

And as an aside, does it really make a difference to only sign some
UIDs and not others? Does GnuPG actually take account of which UIDs
are signed in its validity or trust calculations?

- --
Best regards

MFPA                    mailto:expires2013 at ymail.com

Life is far too important a thing ever to talk seriously about
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlJ3xQFXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p6WwD/i8S1/IozG/diojvmFKmDfVEe5kEKrIjku1z
hGOySg4SkkwF9qI00iKTS29mJe9WeU22gRQk8ODLRvF7UqQgbV85KvmA6uvYmRHJ
/Z4O5R9tFS7h7d32FBWF/HQ0uVSaIWKaHvY9M4ZBIzeyQBjwRQrCtPhjxief210N
2r2VwDfA
=6C8E
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list