trust your corporation for keyowner identification?
ekleog at gmail.com
Mon Nov 4 23:20:12 CET 2013
On Mon, Nov 04, 2013 at 01:44:51PM -0800, Paul R. Ramer wrote:
> MFPA <expires2013 at ymail.com> wrote:
> >Why do we need to establish they can also sign? Isn't it enough to
> >demonstrate they control the email address and can decrypt, by signing
> >one UID at a time and sending that signed copy of the key in an
> >encrypted email to the address in that UID?
> You are right. Decryption is sufficient to demonstrate control of the private key, because if he can decrypt, he can also sign. What I said, "decrypt and sign," was redundant.
Well... I still do not understand why decryption is sufficient to demonstrate
control of the private key and not adding a UID (note I'm talking about signed
UID's, not unsigned ones, of course).
More information about the Gnupg-users