On Mon, Aug 12, 2013 at 05:04:50PM +1000, Glenn McIntosh wrote:
On 12/08/13 15:49, Ben Finney wrote:
Rather, the purpose of your signature is to say “I met this person, verified they are who they say they are, and this person tells me this is their email address and public key”.
I don't think of it that way; when I sign GPG keys, I am signing each uid separately. Some uids contain an email address for that person, and I'd like to know that the address is actually connected to them when I sign it. Just as there might be another uid that is a photo, and signing it means that I recognize the photo to be of that person.
This is a really good point. I'm not sure which side of the fence is best, but I feel that we should quickly discuss this point on Thursday if time permits. On one hand, when in doubt I'd like to err on the safe side. On the other hand, my key currently has two e-mail uids and I believe some people have quite a few, so signing uids individually, encrypting them and sending them out to each address could get tedious very quickly. It seems PIUS ( http://www.phildev.net/pius/ ) might be an easy way to solve just this problem, so I might give it a try.