On Mon, Apr 16, 2001 at 10:12:57PM +0200, Peter Palfrader wrote: > On Mon, 16 Apr 2001, Ralf Treinen wrote: > > > > pub 1024D/D94AF6B8 2000-10-17 Thierry Bourrillon <[EMAIL PROTECTED]> > > > What is it? > > It's just the ID that he choose for his key. I told him that his > > debian address most likely will not look like this. At that time > > (when I signed his key) I didn't care since he can generate (and > > submit to the keyring) as many subkeys as likes. > > In other words you signed an ID that was not owned by the owner > of the secret key. Not good imho.
It's terrible what you people here call keysigning, and keysign checking. You are using --list-sigs and not --check-sigs, --list-sigs DOES NOT CHECK ANYTHING. And that other guy signs a UID that's invalid. So, if elmo rejects the application the applicant can be happy with having a signed @debian.org UID, I have no idea whatever it's good for by this time, but it's BAD anyway. The web of trust is piece of shit becouse of the 'I-don\'t-care' users of strong encryption systems. /me is sad to see this p.s: To-Learn: 1.) Do not sign unexistant UIDs 2.) DO USE --check-sigs Two easy steps for improving the security enourmously. Argh, -- Lenart, Janos <[EMAIL PROTECTED]>
