GnuPG asks for confirmation...

Laurent Jumet laurent.jumet at skynet.be
Thu Jun 1 10:44:27 CEST 2006


Hello !

Sven Radde <sven at radde.name> wrote:

>>> But this is logical, isn't it?
>>> You don't trust a key (what's there to trust?). You trust the fact that
>>> *a certain key belongs to a certain user-id* and if new ids are added,
>>> you would have to think again if the owner of the key actually owns that
>>> id.
>>>
>>     Of course, he owns.
>>     It's impossible to add or revoque a UserID without the SecretKey.
>>     No matter if I add an UserID to my Key: it's the same Key.
> Trust is not about owning the key. It is about owning the *user-id* and
> in particular linking a user-id (= a real person) to a key.

> In other words: Who would prevent you from adding "sven at radde.name" as a
> user-id to your key? (Or, creating a new key with that user-id.)
> Still, as nobody would believe that my email-address belongs to your key
> (i.e. that new user-id on your key is not trusted by anyone), my emails
> would not get encrypted to your key. People would approach me (my
> user-id) for verification of the key's fingerprint and I could deny that
> the key belongs to me / my user-id.

    You are right.
    But what I noticed is this:

    Let's suppose your Key has 4 UserID's and all fully trusted.
    You add one UserID more "Winston Churchill".
    All 4 previous UserID's are compromised too, at the moment you added another one.
    That's what *I think* I noticed.

-- 
Laurent Jumet
      KeyID: 0xCFAF704C



More information about the Gnupg-users mailing list