Re: signing a GPG key with multiple uids
Hi,
On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote:
> Hi,
>
> Oohara Yuuma wrote:
> > When signing a GPG key, is it better to sign all of its uids, or
> > just an uid that I see relevant (such as the @debian.org one)?
> > I usually meet someone, get a hardcopy of the key fingerprint,
> > the e-mail address and so on, then check it later and sign the uid
> > which have that address in it.
>
> I sign a uid when these uid's address is not bouncing and the person who
> claims to belong to this key answers a message encrypted to him sent
> to the specific uid. If the person answers to all the mails sent to
> him, I can sign all uid's.
>
> The checking if the email is valid and can be read by the keyowner
> does weasel's cabot for me => http://www.palfrader.org/#cabot
This sounds like good practice but burden of proof for the "activeness"
of e-mail account is on signer side. A bit unfiar, IMHO.
I have 2 e-mail accounts associated to my GPG key. One e-mail address
before I joined Debian and one with @debian.org. I am wondering what is
the best option for me:
1) Add both e-mail addresses in my Debian business card to get
attention and to get signed for both e-mail addresses.
2) Ask people who signed only for the old e-mail address to sign new one
and revoke old one eventually.
3) Just leave as is. Make sure to get one for osamu@debian.org signed
at least for the new signatures.
4) Just leave as is. If some sign either one uid, leave it as is.
Gather GPG signature randomly but a lot :)
Osamu
--
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++
Osamu Aoki <osamu@debian.org> Cupertino CA USA, GPG-key: A8061F32
.''`. Debian Reference: post-installation user's guide for non-developers
: :' : http://qref.sf.net and http://people.debian.org/~osamu
`. `' "Our Priorities are Our Users and Free Software" --- Social Contract
Reply to: