On Thu, 2005-01-20 at 14:11 +0900, Georgi Georgiev wrote: > So people are currently trusting the *name* of a person, but... What > happens if I show a proper ID but use fake e-mail addresses in my key? > Nobody told me how you verify e-mail addresses...
That is why you send the person an encrypted email to the address. If they can decrypt it, then they are who they say they are, as they have access to both the email address, and the GPG key that you verified against their ID. > So, if I had an anonymous uid in my key, how likely is someone to sign > it without meeting in person? I am not claiming to be Georgi Georgiev > with that uid, I only claim to be [EMAIL PROTECTED] Well, seeing as how it was still in your same key, it would still be you. The signature won't carry over to another key, if you were to remove it, so what exactly is your point? That you can use another email address to identify yourself? We've already said that we won't sign it without meeting you, so this whole argument is moot. > To see what I mean -- gpg --refresh-keys [EMAIL PROTECTED] and verify the > signature of this message. The latest uid that I just created has no > name associated with it, so no need for an ID, right? I just need to > prove that [EMAIL PROTECTED] is my address, right? Say what? No. You would be signed that [EMAIL PROTECTED] is Georgi Georgiev and has the key ID 44F51266. Adding another uid to the same key, with or without a name, won't change that. Also, when you sign, it asks you if you want to sign all the uid for the key. I would say "no" to that and only sign the one I have verified myself. -- Chris Gianelloni Release Engineering - Operational/QA Manager Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
