Sign key and export for each UID
kloecker at kde.org
Mon Sep 16 23:18:50 CEST 2013
On Monday 16 September 2013 11:57:04 Doug Barton wrote:
> The way that your signer did it is _a_ standard way to do it. CAFF is
> a very popular program for that, and there is another here that is
> also pretty good: http://www.phildev.net/pius/news.shtml
> I have another philosophy that works for me because I prefer not to
> sign uids that are not valid. I send encrypted e-mail to each uid
> with a pseudo-random string and ask the person to send me back the
> string in a signed message. That allows me to determine if the person
> has control of all 3 elements of the uid; the e-mail address,
> private, and public keys.
CAFF (and apparently also PIUS) achieve same: A signed UID is sent
encrypted to the UID's email address. The signature on the UID can only
be retrieved by a person who controls the email address and the private
key. What do you mean by having control of the public key? How does your
workflow verify that the person has control of the public key? AFAICS
the public key is not needed for anything in your workflow.
> As a pleasant side effect it also gives me
> a chance to judge their competence with PGP, which allows me to
> assign a better trust value to folks I did not previously know.
Granted, this is an advantage your workflow has over CAFF, but I'm not
sure it's worth the additional work of verifying all replies and then
selectively signing UIDs. I've been there and have done this, but CAFF
is just a lot less of a hassle without losing much (if anything).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users