> Ah, but the authentication is the signature chain. :-) What is, of course,
> interesting is that most people signing keys check the identity of the
> user, rather than whether the email address goes to them. In theory,
> putting your signature on a key, you're tying the uid subpacket and the
> pub subpacket together. People tend to assume that email address bits are
> correct.
True to a certain extent. For me, I am authenticating the person to the
key. Who says the uid subpacket has to contain an EMail address?
If people want wrong or misleading emails that their business. As
long as they can satisfy me that they hold the secret key that is good
enough for me.
Red
