First of all,... unfortunately Chris forgot to CC the list (at least it seems so). So I post his answer again: On Tue, Apr 15, 2008 at 12:21 PM, Michael Kesper <[EMAIL PROTECTED]> wrote: > I remember Werner saying that this was just nonsense. > Werner, can you correct me if I'm wrong? Well this is partly true as everybody can loose or change an email address. So the process of validating that a key-owner has "controll" over an email address does not say that this will last forever (btw: this also applies for the real name,.. imagine someone marries). But apart from that I think it still makes sense to really validate the email (e.g. via challenge response).
Imagine Werner Koch (from GnuPG) who has [EMAIL PROTECTED] and another Werner Koch who works at uhm perhaps Mikrosaft,...he has the email [EMAIL PROTECTED] Both are really named "Werner Koch" and people validate this e.g. via their passports when they meet one of the two Werners in person and sign their key/UIDs. After some time the Werner Koch from Mikrosaft becomes evil and adds a new UID "Werner Koch <[EMAIL PROTECTED]>"... and he asks his previous key signers to sign his new ID because he no longer goes by his "old" eMail address. If the signers say just,.. oh well the name is the same and I don't have to check if the evil Werner Koch actually has access to the eMail,... a lot of people might believe that he is our good gpg-programming Werner. To say it short: In my opinion every information that you sign/certify should be actually validaded. It probably makes even sense to check if a keyholder specified all of his given names,... and perhaps one shouldn't sign UIDs like "Geroge W. Bush" if the W. is an abbreviation, while "Harry S Truman" would be ok,.. as the S wasn't an abbreviation (iirc). Does this answer your post? Herbert _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
