Peter Lewis schrieb:
Because you do not know whether the owner of UID1 is also the owner of
UID2.
Let's say, someone trusts my key and my user-id on that key.
Now, I add another ID: "Stan Tobias <[EMAIL PROTECTED]>"...
No good idea to trust that without checking, is it?
But isn't that the point of signing new UID's with the original one?
You don't sign with a UID. You always sign with a private key.
Signing a new UID with the same key that was used to sign another UID
proves that the same person that created the first UID created the
second one.
It does not prove that the person controls (or, is identified by) the
second UID.
As I said before: If you trust my key, I could simply add "Stan Tobias
<[EMAIL PROTECTED]>" as UID to my key.
If this new UID was trusted immediately, you would use *my* key to
encrypt emails intended to go to Stan..!
The crucial thing is connecting the person identified by a UID with a
private key.
This is what is meant by "trust" in a UID and in OpenPGP, this trust is
expressed by signing the UID with your key.
cu, Sven
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users