GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)
On Mon, Apr 16, 2001 at 10:12:57PM +0200, Peter Palfrader wrote:
> On Mon, 16 Apr 2001, Ralf Treinen wrote:
> > > > pub 1024D/D94AF6B8 2000-10-17 Thierry Bourrillon <email@example.com>
> > > What is it?
> > It's just the ID that he choose for his key. I told him that his
> > debian address most likely will not look like this. At that time
> > (when I signed his key) I didn't care since he can generate (and
> > submit to the keyring) as many subkeys as likes.
> In other words you signed an ID that was not owned by the owner
> of the secret key. Not good imho.
It's terrible what you people here call keysigning, and keysign
checking. You are using --list-sigs and not --check-sigs, --list-sigs
DOES NOT CHECK ANYTHING. And that other guy signs a UID that's
invalid. So, if elmo rejects the application the applicant can be happy
with having a signed @debian.org UID, I have no idea whatever it's good
for by this time, but it's BAD anyway. The web of trust is piece of shit
becouse of the 'I-don\'t-care' users of strong encryption systems.
/me is sad to see this
1.) Do not sign unexistant UIDs
2.) DO USE --check-sigs
Two easy steps for improving the security enourmously.