trust your corporation for keyowner identification?

Daniel Kahn Gillmor dkg at
Mon Nov 4 17:52:02 CET 2013

On 11/04/2013 11:02 AM, MFPA wrote:
> And as an aside, does it really make a difference to only sign some
> UIDs and not others? Does GnuPG actually take account of which UIDs
> are signed in its validity or trust calculations?

Yes, it does make a difference.

Let's say I make key X and attach to User IDs to it:

  * Daniel Kahn Gillmor <dkg at>
  * Alice Munroe <alice at>

You meet me, check my identity, verify that i'm actually dkg, and just 
sign the first User ID (because you have been unable to verify whether i 
am also somehow Alice Munroe). (in fact, i am not Alice Munroe, but i 
would like to be able to read her mail)

At some point, you find you want to encrypt a message to Alice Munroe 
(who you met at a conference, perhaps).  If you had certified both User 
IDs on my key, gpg would be happy to encrypt the message to my key 
instead of Alice's actual key.  If i get a copy of that message, i would 
be able to read it.  This would be bad.

An OpenPGP certification (a "keysigning") is an identity assertion, over 
*both* the key and the User ID.  It says "this key K belongs to the 
person known in the real world by the User ID U", and it is 
cryptographically signed by the person making the assertion.

If you substitute some arbitrary other User ID for U, the meaning of the 
certification changes radically (and the cryptographic certification 
breaks).  This is an intended feature.


More information about the Gnupg-users mailing list