Sign key and export for each UID

Doug Barton dougb at dougbarton.us
Mon Sep 16 23:33:59 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

FYI, the signature on your message did not verify for me in thunderbird,
although others you have sent do.

On 09/16/2013 02:18 PM, Ingo Klöcker wrote:
| On Monday 16 September 2013 11:57:04 Doug Barton wrote:
|> The way that your signer did it is _a_ standard way to do it. CAFF is
|> a very popular program for that, and there is another here that is
|> also pretty good: http://www.phildev.net/pius/news.shtml
|>
|> I have another philosophy that works for me because I prefer not to
|> sign uids that are not valid. I send encrypted e-mail to each uid
|> with a pseudo-random string and ask the person to send me back the
|> string in a signed message. That allows me to determine if the person
|> has control of all 3 elements of the uid; the e-mail address,
|> private, and public keys.
|
| CAFF (and apparently also PIUS) achieve same

I'm familiar with how those tools work. However what I don't like about
them is that they can either leave behind signatures that I consider
bogus on my local key ring, or require that the user correctly deal with
the signatures I send, and upload them to a public key server, for me to
later download. I prefer to keep my personal key rings reflective of my
judgement about the keys/uids, regardless of how the user chooses to
deal with the signatures. But that's my choice, reasonable minds can
differ.

|> As a pleasant side effect it also gives me
|> a chance to judge their competence with PGP, which allows me to
|> assign a better trust value to folks I did not previously know.
|
| Granted, this is an advantage your workflow has over CAFF, but I'm not
| sure it's worth the additional work of verifying all replies and then
| selectively signing UIDs.

Like I said, reasonable minds can differ. I personally don't find it all
that burdensome to select the uids that I am willing to sign when I get
the responses back.

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJSN3lHAAoJEFzGhvEaGryEyewIAMITKi9kTCgOHIZpGjLd9NAI
Jx7Pt6xPYTK33gRhC8puOUpw8337FvXiQFH9/SiHw/gNLt9RHruIPq1nzE4UNV8P
Cv0qGOJrYuhdL8ASdOfG67HP1dFkYOy4RQPGNhoZAf3bcdG67I26t7FvciIy9o+r
xMx/I9W3hN9aANZ7VK5xGIcij7m19NRjjYECERRnOCNbSe+qh/4km7GYfQvB1W9c
mhIpwBnpKIqAqfHLr3nyrMjgYWXjxT52Y0YaXmE5xaRq+Xd909cRNi/hdLJyf12F
ILylfvSWp9k2R4kyFI/Ki0L1dEEqJLsK0k+kgI2N3+fFbcq7pQOI9utEUv8GYlY=
=pvv2
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list