Proof of possession when exchanging keys

Ingo Klöcker kloecker at
Fri Nov 15 23:28:12 CET 2013

On Friday 15 November 2013 11:39:30 Phil Calvin wrote:
> On Nov 15, 2013, at 11:02, "Thomas Harning Jr." <harningt at> wrote:
> > The general practice I follow is to verify fingerprint and ID separately
> > then, in order to verify control of email address and private key, send
> > the signed ID encrypted to the provided email address.
> That makes perfect sense. That's the approach I took on the most recent key
> I signed.
> What attacks are mitigated by verifying control of the secret key, though? I
> am having a hard time grokking the benefit for someone whose ID you have
> verified to present and fingerprint a key which she does not control.

By signing the UIDs connected to a key you certify that the UIDs (most 
commonly email addresses) belong to the same person. You and people trusting 
your certifications could be lead into sending an encrypted message meant for 
the owner of an email address not belonging to the key owner to one of the 
email addresses of the key owner.

It may seem a bit far-fetched that somebody would use one of the email 
addresses of the key owner instead of the email address of the intended 
recipient, but a possible reason for this could be that the email address of 
the intended recipient stopped working (e.g. because he changed his ISP or his 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131115/50d1cf1c/attachment-0001.sig>

More information about the Gnupg-users mailing list