Non email addresses in UID
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 24 18:15:40 CET 2014
On 01/23/2014 05:50 PM, Steve Jones wrote:
> I've been thinking about UIDs in keys, rfc4880 section 5.1 says that by convention a UID is an rfc2822 email address but this is not a requirement[1]. Gnupg does enforce that restriction unless you explicitly disable it. It would seem to make sense to include other strings that can identify a user, many people have various URLs which could be said to relate to their identity, Facebook accounts, blogs etc... It could potentially be useful to be able to associate a key with these other identities, i.e. if you get an email purporting to be from someone you only know on a webforum it would be useful to be able to verify this. I'm curious what other people on this list think of this.
There are already systems that make use of the flexibility in this
field. For example SSH hosts can publish their RSA host key in an
OpenPGP certificate using the monkeysphere (i'm a contributor to the
monkeysphere project):
http://web.monkeysphere.info/
Other people advocate including a human-readable name without an e-mail
address as a User ID, so that you can refer to a person without making
any claim about e-mail addresses (i'm don't find the utility of this use
case particularly convincing myself, but it doesn't seem terrible).
So the general question you're asking about is being done already. As
for facebook or openid or webforums other identifiers, i don't think
those have been particularly well-thought through yet. Under what
circumstances would you use them?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140124/3686b01b/attachment.sig>
More information about the Gnupg-users
mailing list