Hi, On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: > Hi, > > Oohara Yuuma wrote: > > When signing a GPG key, is it better to sign all of its uids, or > > just an uid that I see relevant (such as the @debian.org one)? > > I usually meet someone, get a hardcopy of the key fingerprint, > > the e-mail address and so on, then check it later and sign the uid > > which have that address in it. > > I sign a uid when these uid's address is not bouncing and the person who > claims to belong to this key answers a message encrypted to him sent > to the specific uid. If the person answers to all the mails sent to > him, I can sign all uid's. > > The checking if the email is valid and can be read by the keyowner > does weasel's cabot for me => http://www.palfrader.org/#cabot
This sounds like good practice but burden of proof for the "activeness" of e-mail account is on signer side. A bit unfiar, IMHO. I have 2 e-mail accounts associated to my GPG key. One e-mail address before I joined Debian and one with @debian.org. I am wondering what is the best option for me: 1) Add both e-mail addresses in my Debian business card to get attention and to get signed for both e-mail addresses. 2) Ask people who signed only for the old e-mail address to sign new one and revoke old one eventually. 3) Just leave as is. Make sure to get one for [EMAIL PROTECTED] signed at least for the new signatures. 4) Just leave as is. If some sign either one uid, leave it as is. Gather GPG signature randomly but a lot :) Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++ Osamu Aoki <[EMAIL PROTECTED]> Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' "Our Priorities are Our Users and Free Software" --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]