maillog: 20/01/2005-18:17:53(-0500): Chris Gianelloni types > On Fri, 2005-01-21 at 07:52 +0900, Georgi Georgiev wrote: > > maillog: 20/01/2005-09:57:24(-0500): Chris Gianelloni types > > > On Thu, 2005-01-20 at 14:11 +0900, Georgi Georgiev wrote: > > > > > > > To see what I mean -- gpg --refresh-keys [EMAIL PROTECTED] and verify > > > > the > > > > signature of this message. The latest uid that I just created has no > > > > name associated with it, so no need for an ID, right? I just need to > > > > prove that [EMAIL PROTECTED] is my address, right? > > > > > > Say what? No. You would be signed that [EMAIL PROTECTED] is Georgi > > > Georgiev and has the key ID 44F51266. > > > > Really? But I was talking about signing only the UID that has no name. > > Why the hell would we do that?
If my anonymous key was signed, you wouldn't be able to send a signed e-mail claiming it to be from my e-mail address. And since you don't trust my name, checking the signature would reveal a "good signature by [anon] [EMAIL PROTECTED]" when I send signed e-mail. In this case you'd at least know that my e-mail is not spoofed which is still something. > > > Adding another uid to the same > > > key, with or without a name, won't change that. Also, when you sign, it > > > asks you if you want to sign all the uid for the key. I would say "no" > > > to that and only sign the one I have verified myself. > > > > Yes. So don't sign the UIDs that have names. Only the anonymous one. > > Again, we aren't out to try to circumvent the process, so your point is > moot. We wouldn't sign the "anonymous" uid. -- *) Georgi Georgiev *) We are experiencing system trouble -- do *) (* [EMAIL PROTECTED] (* not adjust your terminal. (* *) +81(90)6266-1163 *) *)
pgp0z0xypUnIr.pgp
Description: PGP signature
