Sign key and export for each UID

Doug Barton dougb at
Mon Sep 16 23:33:59 CEST 2013

Hash: SHA256

FYI, the signature on your message did not verify for me in thunderbird,
although others you have sent do.

On 09/16/2013 02:18 PM, Ingo Klöcker wrote:
| On Monday 16 September 2013 11:57:04 Doug Barton wrote:
|> The way that your signer did it is _a_ standard way to do it. CAFF is
|> a very popular program for that, and there is another here that is
|> also pretty good:
|> I have another philosophy that works for me because I prefer not to
|> sign uids that are not valid. I send encrypted e-mail to each uid
|> with a pseudo-random string and ask the person to send me back the
|> string in a signed message. That allows me to determine if the person
|> has control of all 3 elements of the uid; the e-mail address,
|> private, and public keys.
| CAFF (and apparently also PIUS) achieve same

I'm familiar with how those tools work. However what I don't like about
them is that they can either leave behind signatures that I consider
bogus on my local key ring, or require that the user correctly deal with
the signatures I send, and upload them to a public key server, for me to
later download. I prefer to keep my personal key rings reflective of my
judgement about the keys/uids, regardless of how the user chooses to
deal with the signatures. But that's my choice, reasonable minds can

|> As a pleasant side effect it also gives me
|> a chance to judge their competence with PGP, which allows me to
|> assign a better trust value to folks I did not previously know.
| Granted, this is an advantage your workflow has over CAFF, but I'm not
| sure it's worth the additional work of verifying all replies and then
| selectively signing UIDs.

Like I said, reasonable minds can differ. I personally don't find it all
that burdensome to select the uids that I am willing to sign when I get
the responses back.


Version: GnuPG v2.0.19 (GNU/Linux)


More information about the Gnupg-users mailing list