> I should note that many people actually *don't* check if the e-mail > address belongs to the person whose UID they sign. If this were as > "simple" to prove as it is to prove you have a certain name by showing a > passport or something, it might be checked more often.
That doesn't sound right. If you can't verify the email shown on the key belongs to the user what have you accomplished? All you did was tie a key id to a person (maybe, not sure if you provably accomplished that) but not the email address. If the purpose of key signing is ultimately to relate something useful to a person then I think it's more useful to know a certain person owns a certain email adddress and what his key id is. YMMV. Passports and other documents are easily forged, just take 100 bucks and sit on the corner for 10 minutes. Practially, it's probably harder to spoof an email address. How do you know what his key id is? Couldn't he also forge a little printout with somebody else's key id, fingerprint, etc and give it to you along with his passport? I'm sure somebody has thought it all through but it seems to me the purpose of trusting a key is to bind somebody to an email address, not just a key ID...sort of like S/MIME that contains the email address, but without relying on a trusted third party. > But that's government regulated, unlike e-mail addresses. All you can > easily prove is that you have access to an e-mail account, which is > something completely different. Just to begin with: so does your e-mail > provider. Not necessarily but even if they did, how do they have access to the key? I'm just saying 2 pieces of binding information sound better than one. Wouldn't it be safer to ask the person who wants you to sign his key to mail you his key id and then you respond with some piece of information he has to bring when you sign his key, in additional to whatever else you do? > If you haven't given the key to anyone (the copy in your own keyring is > the only copy in existence), you can just add the new UID with adduid and > then delete the old one with deluid. A key needs at least one UID, > so you first need to add a new one before you delete the last and only UID. Thanks _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
