[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Best practices of GPG signing

I am wondering what is the best practice for me to gather and exchange
GPG signature.

  (I now have 2 e-mail accounts associated to my GPG key.  
   One e-mail address before I joined Debian and one with @debian.org.)

1) Should I gather signature for all active e-mail addresses?
   (Is signature only for osamu@debian.org enough?  Is the act of asking
   signer to sign alternative address considered useless request? Or is
   it worthy cause?)

2) Should I print these alternative e-mail addresses on my Debian
   business card for the convenience of signer.  (I never see that in my
   experience but people tends to have multiple uids.)

3) Is it a good practice to ask people who signed only old uid to sign
   new uid?  (I do this with GPG signed mail.)

4) If someone who used only his ex-work address in GPG key, is it OK to
   sign his new uid by exchanging mail through different mail address
   but with properly signed mails?

5) How important is the uid field?  After all e-mail address can easily
   be spoofed. (For me, it looks totally secondary.  Important thing is
   possession of the secret key.)

~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++
        Osamu Aoki <osamu@debian.org>   Cupertino CA USA, GPG-key: A8061F32
 .''`.  Debian Reference: post-installation user's guide for non-developers
 : :' : http://qref.sf.net and http://people.debian.org/~osamu
 `. `'  "Our Priorities are Our Users and Free Software" --- Social Contract

Reply to: