MUA "automatically signs keys"?

Steve Jones steve at
Fri Jan 31 16:37:42 CET 2014

On Fri, 31 Jan 2014 15:02:14 +0100
NdK <ndk.clanbo at> wrote:

> Il 31/01/2014 10:24, Steve Jones ha scritto:
> > Well the conventions of use, for example the key signing party
> > protocol, requires photographic id. If I publicly sign a key it has
> > to be in line with how I expect others to interpret it. Policies and
> > notations on signatures go some way to alleviate that but only if
> > the tools support it.
> I tried looking around for some tutorials about notations, but could
> only find minimal information ("it's a string in 'tag at domain=value'
> format").

RFC 4880 seems to be the primary documentation.

> IIUC in *my* policy I could specify that when signing a key I use
> "ndk at mydomain=X" notation and that X=0 means "just checked the person
> can access the given mailbox", X=1 means "at least 2 other persons
> have confirmed that the same user used that email address for the
> last year" and so on.

That's pretty much it. I wouldn't worry about tracking what other
people have seen though if I were implementing a scheme like this. My
thinking is more notations like "only-emailed at". But
the point of the @domain part is that anyone can implement whatever
namespaces they want.

> Is my understanding right? When I sign a key and use a notation, am I
> actually signing *all* the identities associated with that key? Or
> just one?

All signatures are on particular UIDs, and notations are part of
signatures, so you can sign as few or as many identities as you like.

Steve Jones <steve at>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20140131/07d56a18/attachment.sig>

More information about the Gnupg-users mailing list