On 02/06/2011 07:01 PM, MFPA wrote: > What's a "legitimate User ID?" My understanding is that, whilst the de > facto standard is a name and an email address, there is no compulsion > over what string to choose.
Here are some legitimate User IDs that do not correspond to a single individual: * "deb.torproject.org archive signing key" * "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org>" These are legitimate to my mind because the unambiguously identify an entity responsible for the key (despite the fact that the entity is not a single individual). Note that the latter happens to be an RFC 822-style e-mail address, but the former does not. The e-mail address form is *not* relevant to the legitimacy of the User ID, other than its ability to disambiguate potentially-conflicting claims to the same name (e.g. there might be multiple "John Smith"s, but there is only one john.sm...@example.org if you subscribe to the global namespace described by DNS). > Isn't the User ID simply the string which the user has chosen as an > identifier for their key, which can be something more human-friendly > than the key id? User ID is short for "User Identifier". The User ID is not only friendlier than the key ID -- it actually refers to something outside the cryptographic realm in which the key operates. This is the point of a PKI, whether it is OpenPGP or X.509 or whatever: you want to be able to bind mathematical constructs (e.g. public keys) to non-mathematical entities (e.g. the entities referred to by User IDs). > I thought the Key ID and the User ID both identified the key, As their name implies, the Key ID identifies the key, and the User ID identifies the User (or keyholder). > the > certifications were an assertion from other people that the User ID > was consistent with the user's real-world identity, Yes, *and* that the real-world entity in question actually controls the associated key. An OpenPGP certification is made over a (Key + User ID) combination. It states "the owner of the key is in fact the person described by the User ID". https://tools.ietf.org/html/rfc4880#page-20 > and that these > certifications in combination with the User ID identified the user. The User ID identifies the user, but it might be (and in fact is trivially) spoofed. To decide whether you're willing to believe that a given User ID is correctly associated with a given key, you can use the known certifications of the key+userID combination, and your state of knowledge/belief about the certifiers themselves. These certifications cannot be (practically) spoofed. This is how the web of trust operates. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
