Best practices of GPG signing
I am wondering what is the best practice for me to gather and exchange
(I now have 2 e-mail accounts associated to my GPG key.
One e-mail address before I joined Debian and one with @debian.org.)
1) Should I gather signature for all active e-mail addresses?
(Is signature only for firstname.lastname@example.org enough? Is the act of asking
signer to sign alternative address considered useless request? Or is
it worthy cause?)
2) Should I print these alternative e-mail addresses on my Debian
business card for the convenience of signer. (I never see that in my
experience but people tends to have multiple uids.)
3) Is it a good practice to ask people who signed only old uid to sign
new uid? (I do this with GPG signed mail.)
4) If someone who used only his ex-work address in GPG key, is it OK to
sign his new uid by exchanging mail through different mail address
but with properly signed mails?
5) How important is the uid field? After all e-mail address can easily
be spoofed. (For me, it looks totally secondary. Important thing is
possession of the secret key.)
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++
Osamu Aoki <email@example.com> Cupertino CA USA, GPG-key: A8061F32
.''`. Debian Reference: post-installation user's guide for non-developers
: :' : http://qref.sf.net and http://people.debian.org/~osamu
`. `' "Our Priorities are Our Users and Free Software" --- Social Contract