Re: GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)
Hi Oliver!
On Tue, 17 Apr 2001, Oliver Elphick wrote:
> The email addresses are relatively unimportant, because all the key actually
> guarantees is that someone who knows the secret key is using it. It does not
> guarantee that a message comes from the email address in the key.
You miss the point, imagine the following situation:
We meet, I show you my ID and give you the fingerprint.
My key has two IDs:
Peter Palfrader <weasel@debian.org>
Peter Palfrader <sirpeter@gmx.net>
You sign both and send the key to my primary address or upload it to the
keyserver.
Congratulations, you have just allowed me to impersonate Peter Palfrader
<sirpeter@gmx.net>, who happens to be an all together different Peter
Palfrader than me.
Now If I sign mails with that key ppl will trust that I'm the
sirpeter@gmx.net because after all _you_ signed that ID.
If you had verified that I controlled sirpeter@gmx.net, this could never
have happened.
yours,
peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : By professionals,
| `. `' for professionals
http://www.palfrader.org/ | `- http://www.debian.org/
Reply to: