Re: Best practices of GPG signing

To: debian-mentors@lists.debian.org
Subject: Re: Best practices of GPG signing
From: Simon Richter <sjr@debian.org>
Date: Thu, 5 Dec 2002 02:46:30 +0100
Message-id: <[🔎] 20021205014630.GJ9024@phobos.kvedulv.de>
In-reply-to: <[🔎] 20021204185905.GA30151@aokiconsulting.com>
References: <[🔎] 20021204185905.GA30151@aokiconsulting.com>

Hi,

On Wed, Dec 04, 2002 at 10:59:06AM -0800, Osamu Aoki wrote:
> 1) Should I gather signature for all active e-mail addresses?
>    (Is signature only for osamu@debian.org enough?  Is the act of asking
>    signer to sign alternative address considered useless request? Or is
>    it worthy cause?)

Of course more signatures are better, as the web of trust is also useful
outside of Debian.

> 2) Should I print these alternative e-mail addresses on my Debian
>    business card for the convenience of signer.  (I never see that in my
>    experience but people tends to have multiple uids.)

Well, I have separate cards with all my uids and subkeys on them, which
I use for signing purposes. Business cards are something different, I
have different cards for different "personalities" of mine -- i.e. one
with my private address, one for Debian, one for the uni, one for work,
... But I think this is sort of the German mentality to keep everything
apart.

> 3) Is it a good practice to ask people who signed only old uid to sign
>    new uid?  (I do this with GPG signed mail.)

I'd say it depends. It makes sense if you're going to make heavy use of
the new uid, so people can easily validate it.

> 4) If someone who used only his ex-work address in GPG key, is it OK to
>    sign his new uid by exchanging mail through different mail address
>    but with properly signed mails?

I think yes, because that should still be the same person, and if the
key was stolen and someone is trying to get mails diverted, there should
be a revocation around soon.

> 5) How important is the uid field?  After all e-mail address can easily
>    be spoofed. (For me, it looks totally secondary.  Important thing is
>    possession of the secret key.)

Generally that's what the different levels of how you checked the uids
mean. If you have seen the ID card, use level 2, if you've checked the
mail address, use level 3. Where some years of correspondence replace
pinging the account, at least for me. :-)

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4

Attachment: pgpa9Mu0Y4urA.pgp
Description: PGP signature

Reply to:

References:
- Best practices of GPG signing
  - From: Osamu Aoki <osamu@debian.org>

Prev by Date: Re: signing a GPG key with multiple uids
Next by Date: Re: HELP: Bug#170891: debian-reference-en: poor description
Previous by thread: Best practices of GPG signing
Next by thread: RFS (2nd call): tsclient-0.56
Index(es):
- Date
- Thread