On Sat, Sep 15, 2001 at 11:09:27AM +0200, Robert Bihlmeyer wrote: > Yes, OpenPGP lets you sign uids. (I even think that you can *only* > sign uids, but this may be my misconception.) Yes, you can only sign UIDs. When you sign someone's key (or rather, a UID on someone's key) you are certifying that you have verified that the person identified by that UID really does own the matching secret key. Signing the key itself rather than an identity on the key wouldn't really have much point - it is pretty much self evident that a GPG key is a GPG key and it would be hard to attach much more meaning to a signature on the key itself than that. > There's no general consensus about what signing a uid means, though. I > personally only sign the first uid, because I think trusting the > person to manage her uids correctly is not too much, and the > consequences of someone botching this amount to a DoS at most. Others > think differently, and sign only uids which reference an e-mail > address they have verified. It's not so much mistakes as deliberate attacks that should be considered. Blindly signing all user IDs without full verification creates an obvious possibility for impersonation. Signing only some user IDs when other IDs have been verified doesn't cause such active harm, it just means that if somone has an interest in verifying the unsigned user IDs there's less information out there to help them. The general principle in security related things is that you should be as untrusting and paranoid as possible. -- "You grabbed my hand and we fell into it, like a daydream - or a fever."
Attachment:
pgpY1RkPU4vXQ.pgp
Description: PGP signature