On Sun, Sep 16, 2001 at 08:35:15PM +0000, Redvers Davies wrote:
> > Ah, but the authentication is the signature chain. :-) What is, of course,
> > interesting is that most people signing keys check the identity of the
> > user, rather than whether the email address goes to them. In theory,
> > putting your signature on a key, you're tying the uid subpacket and the
> > pub subpacket together. People tend to assume that email address bits are
> > correct.
> True to a certain extent. For me, I am authenticating the person to the
> key. Who says the uid subpacket has to contain an EMail address?
> If people want wrong or misleading emails that their business. As
> long as they can satisfy me that they hold the secret key that is good
> enough for me.
No, you're getting the wrong end of the stick. The point is that if I get
something with your signature on it, and I've said that I trust you to do
the verification correctly, you may know what the Mickey Mouse in the UID
subpacket means (that eg, it means Evil Dave) and you've verified that
Evil Dave does, in fact, hold the corresponding secret key, so that when
you send messages encrypted with that key it will be evil dave who decrypts
them. However, that "Mickey Mouse" means nothing to me.
I therefore shouldn't be trusting your signature to verify anybody else's
identity. The email bit is a red herring and is rather like a name.
MBM
--
Matthew Byng-Maddick <[EMAIL PROTECTED]> http://colondot.net/
