On Tue, Sep 6, 2011 at 12:08 PM, Matthew Walster <[email protected]> wrote: > > > On 6 September 2011 10:55, Ben Laurie <[email protected]> wrote: >> >> Actually, I think it is very different. In particular, PGP keys are >> useful when associated with an online identity - normally represented >> by an email address (I would certainly consider signing keys >> associated with other forms of relevant identification). > > Hence why you always send the signature to the UID for that person to > upload, rather than uploading it yourself. If the UID isn't valid, it never > reaches the far end and therefore isn't uploaded. > >> >> Signing a key >> because the name on it happens to match the fake ID you were just >> shown seems utterly pointless - you will never receive an email from >> that name, nor send one to it. >> However, the randomly chosen email that coincidentally went with that >> name is now associated with the key, according to you, for no apparent >> reason. > > I sign a key if the ID matches because I then know that the person is > (reasonably) the name on the key. By emailing them the signature, I've then > verified the UID. It's not perfect, but it's the least possible effort per > unit security I can derive (with the exception of not doing it at all).
Ah, I had not noticed that little wrinkle, which is rather nice. It'd be good if there were some way to record that that had been done in the signature, too. However, this makes ID checking even more pointless, IMO :-)
