I don't understand why. If you trust the association of the Name and
key, how/why would having an email address in there as well improve
the
trust?
It's not an issue of improving the trust, it's an issue of
disambiguation. In my case, there are many different David Shaws out
there,
On Wed, Oct 26, 2005 at 12:26:31PM -0500, Alex Mauer wrote:
David Shaw wrote:
Some people
will not sign such a user ID though,
It's not an issue of improving the trust, it's an issue of
disambiguation.
Right, so why is it any better to have a key with:
0x99242560 David Shaw
David Shaw wrote:
You always have the option to not sign, of course. But you don't get
to tell the keyholder what information he puts in his user ID string.
You don't create that, and it must be signed completely or not signed
at all.
Of course it is not possible to tell the key holder what
Joost van Baal wrote:
On Tue, Oct 25, 2005 at 11:38:49PM -0400, David Shaw wrote:
It's not an issue of improving the trust, it's an issue of
disambiguation. In my case, there are many different David Shaws out
there, including a furniture designer in New Zealand, a Pulitzer prize
winning
David Shaw wrote:
Some people
will not sign such a user ID though,
It's not an issue of improving the trust, it's an issue of
disambiguation.
Right, so why is it any better to have a key with:
0x99242560 David Shaw [EMAIL PROTECTED]
than to have
0x99242560 David Shaw
0x99242560 [EMAIL
On Wed, Oct 26, 2005 at 08:01:15PM +0100, Neil Williams wrote:
I wouldn't sign the email only one because an email address can be accessible
to more than one person. If I'm encrypting to this key, I want to know to
WHOM I am writing.
In some cases you can't to WHOM you are writing. What
David Shaw wrote:
On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
I don't agree with this. The user ID system in all OpenPGP products
gives a regular UTF-8 string. Signatures simply bind that string to
the primary key. The system says exactly Alex Mauer belongs with key
On Tue, Oct 25, 2005 at 06:22:10PM -0500, Alex Mauer wrote:
David Shaw wrote:
On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
I don't agree with this. The user ID system in all OpenPGP products
gives a regular UTF-8 string. Signatures simply bind that string to
the
David Shaw wrote:
Some people (myself included) check both before signing. The name via
some sort of formal ID, and the email via a mail challenge.
As do I, at least for a level 3 signature.
Still, if you don't want to bind both tokens together, just create an
user ID of [EMAIL PROTECTED]
On Tue, Oct 25, 2005 at 08:50:11PM -0500, Alex Mauer wrote:
David Shaw wrote:
Some people (myself included) check both before signing. The name via
some sort of formal ID, and the email via a mail challenge.
As do I, at least for a level 3 signature.
Still, if you don't want to bind both
If anything needs to change it is that the documentation
I can more and more see that thanks to everybody's willingness on
this list to explain.
That is exactly my point, NOBODY should rely on ANY of that
information to
identify a key. The only identifier for a key is the
[EMAIL PROTECTED] wrote:
And the final 'objection' is more of a philosophical one: what is IDENTITY?
If I know a person only by email, then that email *is* the person to me.
And I know many people just by email and we are probably never going to
meet IRL, except for some strange
On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
The UID format is also problematic IMO. GPG (OpenPGP?) strongly
wants to have a Name and an email address for each UID. I think
that this puts emphasis in a bad place, leading people to be signing
the fact that e.g. Alex Mauer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neil Williams wrote:
As I said, you can verify my key via someone else. Once your key is in the
strong set this becomes a lot easier. I regularly come across keys used on
this list that are instantly verified by the web of trust.
The web of
On Sunday 23 October 2005 8:15 am, [EMAIL PROTECTED] wrote:
On Sat, Oct 22, 2005 at 10:14:58PM +0100, Neil Williams wrote:
? That key has NO signatures other than yourself! There's no way anyone
can trust it. There are NO paths.
It does, look at:
On Sunday 23 October 2005 5:49 am, Alphax wrote:
Neil Williams wrote:
The only solution to that is to get more
keysigning done.
And to get more people using OpenPGP. Does anyone have a document called
(eg.) Why you should use OpenPGP or similar? I've read the GNU Privacy
Handbook and
On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote:
Some people do not like this server as it does email address
verification (via sending a mail to the email address on the key, if
any), and then signs the key. These signatures are reissued every 2
weeks or so if people keep
David Shaw wrote:
On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote:
That's not the only reason though. The PGP Global Keyserver is dangerous, as
well as a nuisance, for a number of reasons. As it only shows one key on a
search for a users name, it might cause people to miss a revoked
Am I missing something?
The web of trust. (And the documentation, apparently.)
Okay. I got that by now. I think the problem was that MacGPG makes it
really easy to get started with GPG:
There's a plug-in that integrates nicely with Apple's Mail. And the
Keychain Assistant let's
Am I missing something?
The web of trust. (And the documentation, apparently.)
Okay. I got that by now. I think the problem was that MacGPG makes it
really easy to get started with GPG:
There's a plug-in that integrates nicely with Apple's Mail. And the
Keychain Assistant let's
I suggest that you seriously check our Big Lumber at www.biglumber.com
Thanks John. I will.
Regarding my personal web of trust: I get a clearer picture now and
for starter I'll exchange keys directly with my friends.
As for the unwanted keys for my e-mail address. At least for now I
On Saturday 22 October 2005 9:20 pm, [EMAIL PROTECTED] wrote:
The web of trust enables such verification - if you can't meet me in
person, you can verify my key by having your key signed by someone who
has met me (there are lots).
Until that happens, you have no way of trusting that this
On Saturday 22 October 2005 10:14 pm, Neil Williams wrote:
I have not met everyone I can trust via the web of trust. From David's
stats, I have 20 or so signatures that link within the main set and I can
trust some 1400 keys that way.
Sorry, that should be Jason's stats, not David's.
Look
I'm still in the process of learning how to use GPG for signing and
encrypting messages. I use MacGPG on, you guessed it, OS X.
The interface of the GPG Keychain app makes it really easy to do some
powerful stuff. And you know how it is, if powerful stuff is put in
the hands of ignorant
24 matches
Mail list logo
