At Fri, 30 Oct 2015 12:06:14 +0000, MFPA wrote: > On Thursday 29 October 2015 at 2:06:51 PM, in > <mid:878u6l93b8.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > When you verify a > > message from some user for the first time, GnuPG saves > > the binding between the user id (actually, the > > normalized email address) and the key. > > The email address in the user-id, or the email address the message > appears to come from? > > If it's the email address in the user-id, what happens if the key has > multiple UIDs covering several email addresses? Or if the user-ids > contain no readable email addresses?
The user ids are used. These are authorative. If there are N user ids, then N bindings are maintained. > > When you verify > > another message from that user, the saved bindings with > > that user's address are retrieved. If there is at > > least one such binding, but none of them include the > > signer's key, then either the signer is using a new key > > or someone is attacking you. In this case, GnuPG > > displays a warning and prompts you to verify the key > > and set an appropriate policy (e.g., the key should be > > considered untrusted). > > How does it handle a new signing sub-key? The primary key is always used in the binding. Thanks, :) Neal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
