Re: comments on uid
Well, the UID is what other people sign. Suppose by a wonderful coincidence my name is Barack Obama. To prevent confusion, I create this UID Barack Obama (NOT the US president) bar...@is-my.name People sign this. They have seen my birth certificate... erm... I mean passport :) Hahaha!!! Damn Hawaiins! and the comment is quite helpful. Now I change the comment. I don't think by now I need to spell it out anymore, but here goes: Barack Obama (US president) bar...@is-my.name People might not be so happy they signed this UID. Alright that's a good answer but aren't people just confirming the email address belongs to a known signer when they sign a key? Does it really matter what the UID comment is? I think it may be going a bit too far to say the UID is guaranteed. But you can simply create a new UID (command adduid from --edit-key) and delete the old UID (command deluid). That, as you say, doesn't help when it's on a keyserver as you can't delete data from a key on a keyserver. Likewise, people who already have a copy of your key and import your new key will still have the old UID as well(!). Do I have to do anything with the keys when adding a UID and deleting the old one? I don't remember. When other people already have your key, revoking the UID (command revuid from --edit-key) is the standard way, if you think it's worth it for a changed comment. As people who sign your key sign an UID, you also lose all signatures when you revoke the signed UID. My question is on a situation I didn't add the comment by mistake when I created the key and now I'd like to be able to add a comment. The key isn't signed etc. Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
On 18/03/12 09:13, freej...@is-not-my.name wrote: Alright that's a good answer but aren't people just confirming the email address belongs to a known signer when they sign a key? Does it really matter what the UID comment is? I think it may be going a bit too far to say the UID is guaranteed. Different people mean different things by signing an UID; they could express this by policy. By the way, an UID doesn't even need to be of the form Full Name (Comment) e@mail though it is certainly recommended and standard. So some people might not care about the comment part; others might. The example I gave is clearly a case where it might matter. I certainly would not sign the one with the comment (US president), but I haven't personally formulated a policy on what I think about comments. I think there are other mechanisms to add some comments to an UID, via signatures with notations. Other people might know more about this. If you want to add comments that you can freely change, this might be more what you're looking for, rather than changing the UID. I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. If this were as simple to prove as it is to prove you have a certain name by showing a passport or something, it might be checked more often. But that's government regulated, unlike e-mail addresses. All you can easily prove is that you have access to an e-mail account, which is something completely different. Just to begin with: so does your e-mail provider. Do I have to do anything with the keys when adding a UID and deleting the old one? I don't remember. [snip] My question is on a situation I didn't add the comment by mistake when I created the key and now I'd like to be able to add a comment. The key isn't signed etc. Thanks. If you haven't given the key to anyone (the copy in your own keyring is the only copy in existence), you can just add the new UID with adduid and then delete the old one with deluid. A key needs at least one UID, so you first need to add a new one before you delete the last and only UID. The only catch is that if there is a copy in existence with the old UID, and you import to that keyring the new version with the new UID, it will have both UIDs. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-03-2012 5:13, freej...@is-not-my.name escribió: ... Alright that's a good answer but aren't people just confirming the email address belongs to a known signer when they sign a key? Does it really matter what the UID comment is? I think it may be going a bit too far to say the UID is guaranteed. You define yout policy about what do you check when you sign a key (or an UID, after all, you sign UIDs on a key, not the key itself). So somebody might check email address and name of the key owner, and ignore the comment, unless it is false (like the comment sayind USA President). Others might don't care about the comments at all. Do I have to do anything with the keys when adding a UID and deleting the old one? I don't remember. I think you must make the new UID primary UID before being able to delete the old one, but not sure about it. The worst thing that could happen is to get a message saying you can't delete your primary UID or something like that. My question is on a situation I didn't add the comment by mistake when I created the key and now I'd like to be able to add a comment. The key isn't signed etc. Thanks. If the key is not signed and it is not on keyservers, just make the new UID, set it as primary, and delete the old one. If the key is available at keyservers, then revoke the old one instead of deleting it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPZhtbAAoJEMV4f6PvczxAAoQH/jWRJ/iUvkPw5njP3pGJhXoG FUUpdZmzkzJ3kuYTZwDpzBmn2W5v0pzV/fiZiXGjd3dPunIUg9V1sob0t24X+K34 FMS1T/9uISfZolURJMZav7lFJxW9xTP2CjfCzF76Nz8HVcgAWyAXLt3EvUzq3iQo jcM51jAEhzSCVSNHHnvWIvWUIzUMDDENgyPX90D/cifpjUErNAKEfy6Nytx66BcY HvYy4DNC53M54AXkPktT2UvFMjsDc53N9nedxM6n2PL9GWIJC9QXAd++7hcCFdld cX4mr00I+3t/zd72eo+N4OR0SN4Mq0EbSF9ncMNuzZpC/RJtXvwPXdwMn4Ql7ac= =rU/9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. If this were as simple to prove as it is to prove you have a certain name by showing a passport or something, it might be checked more often. That doesn't sound right. If you can't verify the email shown on the key belongs to the user what have you accomplished? All you did was tie a key id to a person (maybe, not sure if you provably accomplished that) but not the email address. If the purpose of key signing is ultimately to relate something useful to a person then I think it's more useful to know a certain person owns a certain email adddress and what his key id is. YMMV. Passports and other documents are easily forged, just take 100 bucks and sit on the corner for 10 minutes. Practially, it's probably harder to spoof an email address. How do you know what his key id is? Couldn't he also forge a little printout with somebody else's key id, fingerprint, etc and give it to you along with his passport? I'm sure somebody has thought it all through but it seems to me the purpose of trusting a key is to bind somebody to an email address, not just a key ID...sort of like S/MIME that contains the email address, but without relying on a trusted third party. But that's government regulated, unlike e-mail addresses. All you can easily prove is that you have access to an e-mail account, which is something completely different. Just to begin with: so does your e-mail provider. Not necessarily but even if they did, how do they have access to the key? I'm just saying 2 pieces of binding information sound better than one. Wouldn't it be safer to ask the person who wants you to sign his key to mail you his key id and then you respond with some piece of information he has to bring when you sign his key, in additional to whatever else you do? If you haven't given the key to anyone (the copy in your own keyring is the only copy in existence), you can just add the new UID with adduid and then delete the old one with deluid. A key needs at least one UID, so you first need to add a new one before you delete the last and only UID. Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
On 03/18/2012 04:13 AM, freej...@is-not-my.name wrote: My question is on a situation I didn't add the comment by mistake when I created the key and now I'd like to be able to add a comment. The key isn't signed etc. Thanks. I suggest that you probably actually don't want the comment at all. The overwhelming majority of the comments that i've seen on User IDs are at best unnecessary, and at worst an explicit distraction and a reason for other people to not want to certify your User ID. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-03-2012 15:13, freej...@is-not-my.name escribió: I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. If this were as ... That doesn't sound right. If you can't verify the email shown on the key belongs to the user what have you accomplished? All you did was tie a key id to a person (maybe, not sure if you provably accomplished that) but not the email address. If the purpose of key signing is ultimately to relate something useful to a person then I think it's more useful to know a certain person owns a certain email adddress and what his key id is. YMMV. Well, I can carry my photo-Id stuff with me to a keysigning party, but I don't have any document to show I own my email address. Some people solve that by sending the signed key, encrypted to the recipient's key, to the email address. If the person doesn't control the email address, the person won't get the signature. If the email owner doesn't have the key, then he can't open the signature. Some people even adds what it is called a Freeform UID, which carries Name, Comment, but no email address, that way, if they change their email provider, signatures collected on that UID won't be lost (you should revoke the UIDs that include an email address you no longer can use). Passports and other documents are easily forged, just take 100 bucks and sit Well, that depends on the technology used to make the passports. ... you along with his passport? I'm sure somebody has thought it all through but it seems to me the purpose of trusting a key is to bind somebody to an email address, not just a key ID...sort of like S/MIME that contains the email address, but without relying on a trusted third party. That depends on what do you want to achieve. Some people wants to know which is the real key of a person (binding the key to a name), some others want to make sure they are sending stuff to the right person, but don't care about who is that person (they bind the key to an email address, or to a nickname). That is the good (and for some people, the bad) thing about OpenPGP, your signatures have the meaning you want them to have... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPZi8xAAoJEMV4f6PvczxAbr0H/3l00PKWhqzu7BCct+B18+0m g9ZfgjJvZTKqWYejquzBVA+oDE709Mltb/6h7b9GAgSIXOX4AwQ3+mVckD4vQQEA tC8nE5r/sTwiIJoYkwvLaEtTzO5ZSM34FX6InUs4AoHmR81kKAEN9iCm34hjOVry hbIFwkuLy21ImEVhBYH+HdkRJbxKGfueOAO+ijzu+3vxvHttILM/Mpo3ZGX6C9sV b2NeWs1qzaBCQxDh6yT8mm6S1+hBEmg/SKp+91Ql3OsX0vlmIQ70kucLDIlkjbR0 At9VH7aeim0VPUdLu67PEoHm3vxoDq9Cat6nSUH61fvxD2giy+DKx+XsPLoCh/o= =CESH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Mar 18, 2012 at 06:13:32PM -, freej...@is-not-my.name wrote: I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. If this were as simple to prove as it is to prove you have a certain name by showing a passport or something, it might be checked more often. That doesn't sound right. If you can't verify the email shown on the key belongs to the user what have you accomplished? All you did was tie a key id to a person (maybe, not sure if you provably accomplished that) but not the email address. If the purpose of key signing is ultimately to relate something useful to a person then I think it's more useful to know a certain person owns a certain email adddress and what his key id is. YMMV. Just to play devil's advocate there could be a single email address being used for a group of people. You'd know the message was for you because you have the correct key to open the message while everyone else would be left with a random mess of characters. Not sure why one would setup such a system, since email addresses are cheap now days, but none the less you could setup something similar. Although this does make one wonder about hijacking someone's account which means that you'd always want to make sure that you change the authentication to your email accounts regularly lest someone do this to you. It would, more than likely, be a very targetted attack. But that's government regulated, unlike e-mail addresses. All you can easily prove is that you have access to an e-mail account, which is something completely different. Just to begin with: so does your e-mail provider. Not necessarily but even if they did, how do they have access to the key? I'm just saying 2 pieces of binding information sound better than one. Wouldn't it be safer to ask the person who wants you to sign his key to mail you his key id and then you respond with some piece of information he has to bring when you sign his key, in additional to whatever else you do? If you haven't given the key to anyone (the copy in your own keyring is the only copy in existence), you can just add the new UID with adduid and then delete the old one with deluid. A key needs at least one UID, so you first need to add a new one before you delete the last and only UID. So CAFF[0] does make key signing a bit more secure although it does not solve the problem completely. When signing keys with CAFF, the program will create the signatures per UID and then email the specific UID signature to the address on that UID. The message is encrypted which requires that the receiving party not only have access to the email address but also the key so they can import the signature. Once they have imported the signature they can upload the updated key to a key server. That means that if they are only attacking the email from a sending point of view then they wouldn't have access to the key signature. [0] http://pgp-tools.alioth.debian.org/ - -- Eric - -- Eric H Christensene...@christensenplace.us Sparks spa...@fedoraproject.org . .-.. .-.. --- .-- --- .-. .-.. -.. 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBAgAGBQJPZiwrAAoJEIB2q94CS7PR7qUP/2jeeDEgaWOfH2tarJhPhQVu UymrpLX1Jl/+PIS4KnUipV/0hsrc7m1TsuWzoOyVp88TSoVIwarQYdpuf9c1XNS5 JLhknEQK2vy9MZeCxPFil53TRMF/KUFD3L4oV8avITyaN5a38QMdrZ8Tx+hH8KAp cBOdkfA0HmCYXTue+IuPrmGHk6AWXzCT7pXjr1yrcdToHr1d+ir3VQoE0TuMFrct 4k055+lCK+98MF/hDZgNpWlkJGcoefvIweywc1kt8gQViBiiBXSfiDwc4nLBrgCz Ir8n2Qu4Ikw5r/kDmh0bi1Eykc3A+pRHTgAKSahP3jXPhbEAgKtVFW7+mID5qVJH 26u2Xh2qLidXh6g9lV8qrquuUa+z19NjYXm4xCBu9QcFVhJsuOUba3tMPGQZRzVA gpqXxlPW1hvnzB5iSsXM917heh8QBeebCpmQoLcddXR4U5C7vj+2+KaoSdt9rWCj +xx1BZnwyaHJ8TOKfkjF3uxJDvWeCvZjQYoS13R1a9oN0ARmxjAvmlxy5Y2wGrQd tJU/q6bnMHddx4EPIZiHIUvbL3Wbp2/Beg3R6b4/oPVwt4DIMuw73g77UW/qkJGx LwGDhcbgRA+WmQ00ml1Y5KUIsD8N/oKjZkK84G9KMlzLMQGVL6jK+kNs9jSh+hZn bJDBZQqDrhoYsYpImUKy =ol6+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
On 18/03/12 19:13, freej...@is-not-my.name wrote: Not necessarily but even if they did, how do they have access to the key? The attacker is doing you a real service getting /your/ key signed then :) Wasn't the purpose of the attacker to get his /own/ key falsely signed? The key he does have access to? BTW, your e-mail service provider does, necessarily, have access to mails sent to your e-mail account. SSL/TLS might encrypt the connection to the SMTP server serving your e-mail address, but the provider has the certificate for that server, or more generally, has full access to their own server. So the administrators of that SMTP server have full access to any mails sent to your account, if they want to. Obviously using GnuPG solves that problem, but not before identity is established, and here we are talking about establishing that. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
On 18/03/12 19:13, freej...@is-not-my.name wrote: I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. That doesn't sound right. We could have a simple misunderstanding here: I do think many people check if the person whose UID they sign have /access/ to the e-mail address in the UID. But I'm making a distinction between access and belonging. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
On Sat, Mar 17, 2012 at 12:11:39AM -, freej...@is-not-my.name wrote: The comment can only be added when creating the UID. If you wish to add, remove or edit you can create a new UID and set it as primary. If the key has not been shared, you can delete the old UIDs, but if it is already on the keyservers the copies there cannot have bits removed. Thanks for the info. Is there some reason why we can't edit the UID? I realize it doesn't help if the key is on a server but this key is not. When you compute a signature over a UID, part of the data you hash is the UID. If the UID is different, then any signatures aren't valid anymore because the hash result will be different. The facility isn't implemented since it breaks all existing signatures and is essentially equivalent to deleting an old UID (which really can't be done if the UID has been published) and adding a new UID. If you want to do those two steps, you have to do them manually. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
The OP was maybe referring to the comment in UIDs of the form Name (Comment) email address. Right that's what I meant. The comment can only be added when creating the UID. If you wish to add, remove or edit you can create a new UID and set it as primary. If the key has not been shared, you can delete the old UIDs, but if it is already on the keyservers the copies there cannot have bits removed. Thanks for the info. Is there some reason why we can't edit the UID? I realize it doesn't help if the key is on a server but this key is not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
comments on uid
Is it possible to add or edit comments on a uid? I didn't see any obvious option in the help for edit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
Am Donnerstag, 15. März 2012, 18:54:28 schrieb freej...@is-not-my.name: Is it possible to add or edit comments on a uid? I didn't see any obvious option in the help for edit. --cert-notation / --cert-policy-url may be what you're looking for. But you need --list-options show-notations / show-policy-urls to see them. And, being more precise, that is not a comment on a UID but on one of the signatures of the UID. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 15 March 2012 at 7:26:36 PM, in mid:201203152026.56818.mailinglis...@hauke-laging.de, Hauke Laging wrote: But you need --list-options show-notations / show-policy-urls to see them. And, being more precise, that is not a comment on a UID but on one of the signatures of the UID. The OP was maybe referring to the comment in UIDs of the form Name (Comment) email address. The comment can only be added when creating the UID. If you wish to add, remove or edit you can create a new UID and set it as primary. If the key has not been shared, you can delete the old UIDs, but if it is already on the keyservers the copies there cannot have bits removed. - -- Best regards MFPAmailto:expires2...@rocketmail.com Don't cry because it is over - smile because it happened -BEGIN PGP SIGNATURE- iQCVAwUBT2JMjqipC46tDG5pAQr4EAQAkoTQtrYIkxouFgzvuiC8j4PyTgYf/PYz PB19MQRHuiSEZ6IxC0o2YnRan9B3YiQfjtHoXAo0DWG9mOJRPSmfY+vgzEaFMQEv qvRdq56CxsC05FtCgDEW2FpxRFZhdde+U/iHnrpOoNiDEOw2NHplgsj1l0+tVAhQ MBdrkSv1i0c= =fsrq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users