[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: signing a GPG key with multiple uids

Osamu Aoki wrote:
> On Wed, Dec 04, 2002 at 03:05:57AM +0100, Rene Engelhard wrote:
> > > which have that address in it.
> > 
> > I sign a uid when these uid's address is not bouncing and the person who
> > claims to belong to this key answers a message encrypted to him sent
> > to the specific uid. If the person answers to all the mails sent to
> > him, I can sign all uid's.
> 
> This sounds like good practice but burden of proof for the "activeness"
> of e-mail account is on signer side.  A bit unfiar, IMHO.

this is as it should be. a signer needs to take Due Diligence when
saying ``Yes. I know that this key matches this Name and EMail address.''
failure to do that renders that signature, and potentially all other
signatures made by that signer. the whole Web-of-Trust thing.

some people do take more care than others when signing, and that is
okay. but the onus is always on the signer to verify that the facts as
she understands them are true.

-john
Reply to: