On Fri, Oct 2, 2015 at 7:01 AM, Anthony Papillion <anth...@cajuntechie.org> wrote: > > Sorry to just jump in here but I've been following the conversation > and this caught my eye. While checking the email address associated > with a key might not /always/ be useful (like in the case of IM, fax, > etc), it /can/ help provide 'evidence' that a key might have been > compromised. If I receive an email from an email address that is > different from that on the key, the very first thing I would do is > email the key holder at their known address and ask what's up. It > could very well be a case where the key has been compromised but the > email address hasn't and the key holder doesn't know.
While the key is used to certify the email / IM name / website, etc. and not the other way round, it is certainly helpful to check both. So you are right. However, note that an email inbox can be hijacked as well as a regular mailbox. ... After some thoughts, I found that for all the contact methods (various email addresses, IMs, websites) where I use my key, I had identified myself by person to my frequent contacts before. So the signatures really mean that "this email / IM account has not been compromised", and not that "this key is probably compromised". Guan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
