On Thu, Jan 30, 2014 at 09:09:45PM +0000, MFPA wrote: > > The advantage you have here though is the web of trust. > > 1 level 1 signature would probably be not enough, but > > 5, 10, 100..? > > If the signatures are made automatically be email software without > verifying identity, where is the web of trust? Lots of such signatures > would tie the key to the email address but not to a person. Email > addresses, just like phone numbers, may be re-used by a different > person today to who used them last year.
Well... To this at least I can answer. Sure, it links a key to an email address. Yet, more often than not one knows the email address of the intended recipient (otherwise, how would he/she send the email?). So knowing an email address is associated to a key can be useful. About emails reused by different persons... AFAICT most major email services never re-issue the same email address twice. Which could be considered good practice. If one worries about an email agency stealing the email addresses, well... A signature on an email UID means "Yes, this key is used by the same person as the email address". So signing it "automatically" would not conflict with the meaning of the signature. Yet if the UID also includes a name, then it should be signed only after appropriate verification of the owner. Just my two cents, Leo _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users