-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 18-03-2012 15:13, freej...@is-not-my.name escribió: >> I should note that many people actually *don't* check if the >> e-mail address belongs to the person whose UID they sign. If this >> were as ... > That doesn't sound right. If you can't verify the email shown on > the key belongs to the user what have you accomplished? All you did > was tie a key id to a person (maybe, not sure if you provably > accomplished that) but not the email address. If the purpose of key > signing is ultimately to relate something useful to a person then I > think it's more useful to know a certain person owns a certain > email adddress and what his key id is. YMMV.
Well, I can carry my photo-Id stuff with me to a keysigning party, but I don't have any document to show I own my email address. Some people solve that by sending the signed key, encrypted to the recipient's key, to the email address. If the person doesn't control the email address, the person won't get the signature. If the email owner doesn't have the key, then he can't open the signature. Some people even adds what it is called a Freeform UID, which carries Name, Comment, but no email address, that way, if they change their email provider, signatures collected on that UID won't be lost (you should revoke the UIDs that include an email address you no longer can use). > Passports and other documents are easily forged, just take 100 > bucks and sit Well, that depends on the technology used to make the passports. ... > you along with his passport? I'm sure somebody has thought it all > through but it seems to me the purpose of trusting a key is to bind > somebody to an email address, not just a key ID...sort of like > S/MIME that contains the email address, but without relying on a > trusted third party. That depends on what do you want to achieve. Some people wants to know which is the real key of a person (binding the key to a name), some others want to make sure they are sending stuff to the right person, but don't care about who is that person (they bind the key to an email address, or to a nickname). That is the good (and for some people, the bad) thing about OpenPGP, your signatures have the meaning you want them to have... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPZi8xAAoJEMV4f6PvczxAbr0H/3l00PKWhqzu7BCct+B18+0m g9ZfgjJvZTKqWYejquzBVA+oDE709Mltb/6h7b9GAgSIXOX4AwQ3+mVckD4vQQEA tC8nE5r/sTwiIJoYkwvLaEtTzO5ZSM34FX6InUs4AoHmR81kKAEN9iCm34hjOVry hbIFwkuLy21ImEVhBYH+HdkRJbxKGfueOAO+ijzu+3vxvHttILM/Mpo3ZGX6C9sV b2NeWs1qzaBCQxDh6yT8mm6S1+hBEmg/SKp+91Ql3OsX0vlmIQ70kucLDIlkjbR0 At9VH7aeim0VPUdLu67PEoHm3vxoDq9Cat6nSUH61fvxD2giy+DKx+XsPLoCh/o= =CESH -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users