Sign key and export for each UID

Ingo Klöcker kloecker at
Mon Sep 16 23:18:50 CEST 2013

On Monday 16 September 2013 11:57:04 Doug Barton wrote:
> The way that your signer did it is _a_ standard way to do it. CAFF is
> a very popular program for that, and there is another here that is
> also pretty good:
> I have another philosophy that works for me because I prefer not to
> sign uids that are not valid. I send encrypted e-mail to each uid
> with a pseudo-random string and ask the person to send me back the
> string in a signed message. That allows me to determine if the person
> has control of all 3 elements of the uid; the e-mail address,
> private, and public keys.

CAFF (and apparently also PIUS) achieve same: A signed UID is sent 
encrypted to the UID's email address. The signature on the UID can only 
be retrieved by a person who controls the email address and the private 
key. What do you mean by having control of the public key? How does your 
workflow verify that the person has control of the public key? AFAICS 
the public key is not needed for anything in your workflow.

> As a pleasant side effect it also gives me
> a chance to judge their competence with PGP, which allows me to
> assign a better trust value to folks I did not previously know.

Granted, this is an advantage your workflow has over CAFF, but I'm not 
sure it's worth the additional work of verifying all replies and then 
selectively signing UIDs. I've been there and have done this, but CAFF 
is just a lot less of a hassle without losing much (if anything).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130916/85a33cd0/attachment.sig>

More information about the Gnupg-users mailing list