Hi everybody out there, I put some thoughts on the meaning of signing a key and came to an unusual definition. Maybe someone likes to discuss it with me, since I'm not quite sure whether I should recommend others to interpret signing that way.
Definition: Signing a key means saying: "I confirm the full name in the key's ID is the keyowner's right name. The email address in the ID is the one the keyowner put there, but I cannot guarantee it's his/hers. Here are the reasons why I think this definition is handy: 1. Assumption: Only the keyowner possesses the private key. 2. Assumption: The person I do the fingerprint-check with wants to receive a message from me. 1. Assumption and 2. Assumption => 1. Conclusion: The person I do the fingerprint-check with sends me her/his own public key. 1. Assumption and 2. Assumption => 2. Conclusion: The person I do the fingerprint-check put an email address in the public key's ID to which she/he has access. (we know that without taking a look at the email address AT ALL.) 3. Conclusion: If signing a key has the meaning as stated above, no information will be revealed to persons, who were not intented as recipient. "3. Conclusion" is true, because there are only to possible cases: 1. Case: The person I do the fingerprint-check with puts his/her RIGHT email address in the key's ID. I don't check the email address, but the Name in the ID and sign the key. --> No problems. 2. Case; The person I do the fingerprint-check with (let's call him Peter Hansen) doesn't put his, but Anna's email address (a...@web.com) in the key's ID, because he managed to get access to it (attack). I don't check the email address, but the Name in the ID and sign the key. The ID is now: "Peter Hansen a...@web.com". Let's say Marie somehow get's this signed key. There are again two cases: 2.1 Case: Marie wants to send Anna a message. Although she recognizes Anna's email address and my signature, she will not use the key, because there's "Peter Hansen" written in the ID. --> No problem. 2.2 Case Marie wants to send Peter Hansen an encrypted email. Then she will use the key and send it to a...@web.de and Peter will even receive it, since he has access. --> No real problem. 2.2 Remark: If Peter just made a mistake when typing the email address, he will not be able to access the message. But that's his own fault, not mine. I'm grateful for answers. Take care, Jan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
