Re: signing a GPG key with multiple uids
Osamu Aoki wrote: On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. this is as it should be. a signer needs to take Due Diligence when saying ``Yes. I know that this key matches this Name and EMail address.'' failure to do that renders that signature, and potentially all other signatures made by that signer. the whole Web-of-Trust thing. some people do take more care than others when signing, and that is okay. but the onus is always on the signer to verify that the facts as she understands them are true. -john -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
Hi, On Wed, Dec 04, 2002 at 10:04:21AM -0800, John H. Robinson, IV wrote: Osamu Aoki wrote: On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. this is as it should be. a signer needs to take Due Diligence when saying ``Yes. I know that this key matches this Name and EMail address.'' failure to do that renders that signature, and potentially all other signatures made by that signer. the whole Web-of-Trust thing. some people do take more care than others when signing, and that is okay. but the onus is always on the signer to verify that the facts as she understands them are true. Sure I agree in your point of due dilligence. (I said a bit.) I do not want to make life any harder for the people signing my GPG key either. I think question was not well formed and discussion is drifting away. I started different thread to address my real question. Thanks. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
On Wed, Dec 04, 2002 at 11:09:09AM -0800, Osamu Aoki wrote: I do not want to make life any harder for the people signing my GPG key either. It's a reasonable thing to check whether an email-address is valid before signing it IMHO. Michael -- weasel we should propose to rename the FSG to DFSG as our first action -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
On Wed, Dec 04, 2002 at 08:12:37PM +0100, Michael Banck wrote: On Wed, Dec 04, 2002 at 11:09:09AM -0800, Osamu Aoki wrote: I do not want to make life any harder for the people signing my GPG key either. It's a reasonable thing to check whether an email-address is valid before signing it IMHO. You guys are misunderstanding situation. I have no intention to circumvent GPG security. I have 2 valid e-mail addresses and I want both to be signed. I just did not wanted signer to skip checking alternative address. As far as due diligence is conceded, skipping unsure address was OK. But that is something I wanted to avoid. Thanks. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
Osamu Aoki wrote: On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. this is as it should be. a signer needs to take Due Diligence when saying ``Yes. I know that this key matches this Name and EMail address.'' failure to do that renders that signature, and potentially all other signatures made by that signer. the whole Web-of-Trust thing. some people do take more care than others when signing, and that is okay. but the onus is always on the signer to verify that the facts as she understands them are true. -john
Re: signing a GPG key with multiple uids
Hi, On Wed, Dec 04, 2002 at 10:04:21AM -0800, John H. Robinson, IV wrote: Osamu Aoki wrote: On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. this is as it should be. a signer needs to take Due Diligence when saying ``Yes. I know that this key matches this Name and EMail address.'' failure to do that renders that signature, and potentially all other signatures made by that signer. the whole Web-of-Trust thing. some people do take more care than others when signing, and that is okay. but the onus is always on the signer to verify that the facts as she understands them are true. Sure I agree in your point of due dilligence. (I said a bit.) I do not want to make life any harder for the people signing my GPG key either. I think question was not well formed and discussion is drifting away. I started different thread to address my real question. Thanks. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract
Re: signing a GPG key with multiple uids
On Wed, Dec 04, 2002 at 11:09:09AM -0800, Osamu Aoki wrote: I do not want to make life any harder for the people signing my GPG key either. It's a reasonable thing to check whether an email-address is valid before signing it IMHO. Michael -- weasel we should propose to rename the FSG to DFSG as our first action
Re: signing a GPG key with multiple uids
On Wed, Dec 04, 2002 at 08:12:37PM +0100, Michael Banck wrote: On Wed, Dec 04, 2002 at 11:09:09AM -0800, Osamu Aoki wrote: I do not want to make life any harder for the people signing my GPG key either. It's a reasonable thing to check whether an email-address is valid before signing it IMHO. You guys are misunderstanding situation. I have no intention to circumvent GPG security. I have 2 valid e-mail addresses and I want both to be signed. I just did not wanted signer to skip checking alternative address. As far as due diligence is conceded, skipping unsure address was OK. But that is something I wanted to avoid. Thanks. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract
signing a GPG key with multiple uids
When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. -- Oohara Yuuma [EMAIL PROTECTED] Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, Radiant Silvergun, attitude #3 for SBS-130 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. -- I prefer to validate each email address. It is mostly a personal preference but at least I know the uid was valid at one point. I have a uid associated with an employer account that I do not have access to. It makes no sense for someone to sign that uid and I will probably expire it soon. Richard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
Hi, On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: Hi, Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. The checking if the email is valid and can be read by the keyowner does weasel's cabot for me = http://www.palfrader.org/#cabot This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. I have 2 e-mail accounts associated to my GPG key. One e-mail address before I joined Debian and one with @debian.org. I am wondering what is the best option for me: 1) Add both e-mail addresses in my Debian business card to get attention and to get signed for both e-mail addresses. 2) Ask people who signed only for the old e-mail address to sign new one and revoke old one eventually. 3) Just leave as is. Make sure to get one for [EMAIL PROTECTED] signed at least for the new signatures. 4) Just leave as is. If some sign either one uid, leave it as is. Gather GPG signature randomly but a lot :) Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signing a GPG key with multiple uids
On Tue, Dec 03, 2002 at 07:26:48PM -0800, Richard A. Hecker wrote: Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. I prefer to validate each email address. It is mostly a personal preference but at least I know the uid was valid at one point. I have a uid associated with an employer account that I do not have access to. It makes no sense for someone to sign that uid and I will probably expire it soon. Although we may not control some e-mail addresses on GPG key uid, we can issue revocation certificate to the particular uid. That burden of keeping all uid current is not something signer has to worry about. It should be something owner of the key has to worry about and maintain. I use debian mail address plus one under my personal domain. I wanted both to be signed since they are both active. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
signing a GPG key with multiple uids
When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. -- Oohara Yuuma [EMAIL PROTECTED] Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 smile to answer --- Treasure, Radiant Silvergun, attitude #3 for SBS-130
Re: signing a GPG key with multiple uids
Hi, Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. The checking if the email is valid and can be read by the keyowner does weasel's cabot for me = http://www.palfrader.org/#cabot Regards, Rene -- .''`. Rene Engelhard -- Debian GNU/Linux Developer : :' : http://www.debian.org | http://people.debian.org/~rene/ `. `' [EMAIL PROTECTED] | GnuPG-Key ID: 248AEB73 `- Fingerprint: 41FA F208 28D4 7CA5 19BB 7AD9 F859 90B0 248A EB73 pgplbLBgDpx6a.pgp Description: PGP signature
Re: signing a GPG key with multiple uids
Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. -- I prefer to validate each email address. It is mostly a personal preference but at least I know the uid was valid at one point. I have a uid associated with an employer account that I do not have access to. It makes no sense for someone to sign that uid and I will probably expire it soon. Richard
Re: signing a GPG key with multiple uids
Hi, On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote: Hi, Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. I sign a uid when these uid's address is not bouncing and the person who claims to belong to this key answers a message encrypted to him sent to the specific uid. If the person answers to all the mails sent to him, I can sign all uid's. The checking if the email is valid and can be read by the keyowner does weasel's cabot for me = http://www.palfrader.org/#cabot This sounds like good practice but burden of proof for the activeness of e-mail account is on signer side. A bit unfiar, IMHO. I have 2 e-mail accounts associated to my GPG key. One e-mail address before I joined Debian and one with @debian.org. I am wondering what is the best option for me: 1) Add both e-mail addresses in my Debian business card to get attention and to get signed for both e-mail addresses. 2) Ask people who signed only for the old e-mail address to sign new one and revoke old one eventually. 3) Just leave as is. Make sure to get one for [EMAIL PROTECTED] signed at least for the new signatures. 4) Just leave as is. If some sign either one uid, leave it as is. Gather GPG signature randomly but a lot :) Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract
Re: signing a GPG key with multiple uids
On Tue, Dec 03, 2002 at 07:26:48PM -0800, Richard A. Hecker wrote: Oohara Yuuma wrote: When signing a GPG key, is it better to sign all of its uids, or just an uid that I see relevant (such as the @debian.org one)? I usually meet someone, get a hardcopy of the key fingerprint, the e-mail address and so on, then check it later and sign the uid which have that address in it. I prefer to validate each email address. It is mostly a personal preference but at least I know the uid was valid at one point. I have a uid associated with an employer account that I do not have access to. It makes no sense for someone to sign that uid and I will probably expire it soon. Although we may not control some e-mail addresses on GPG key uid, we can issue revocation certificate to the particular uid. That burden of keeping all uid current is not something signer has to worry about. It should be something owner of the key has to worry about and maintain. I use debian mail address plus one under my personal domain. I wanted both to be signed since they are both active. Osamu -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract