[wellylug] GPG Question

Jo 'Mangee' Booth thegeek at mangee.net.nz
Thu Mar 2 20:40:46 NZDT 2006 

Finally got round to reading this thread...  while I know you  
(Jethro) would prefer be not to mention it.. heres my 2c.  When I say  
read.. I didn't really "read" the thread, just marked it as read.

My short answer is yup.. you'll have to get people to trust you.. but  
couldn't you send them a signed email saying they can trust your new  
one? Before you delete the old one...?

The longer answer:

I use GnuPG on OS X to sign messages for a variety of email  
addresses.  Each one is loaded on the single key as a uid.  A while  
back I deleted the uid joseph at paradise.net.nz from my key [ as after  
almost 10 years i'm no longer a paradise.net customer :( ]

To edit my key I (use a gui to) enter
$  gpg --edit-key (the key id in a long hex string)
in a terminal .. this brings up a menu
I select a uid and type deluid
and then add in new ones etc with adduid.

I then upload it to the keyserver...

When you talk about signing email addresses I assume you mean setting  
the trust?  When people get your key or a signed email then can  
choose to trust your key uids..
Each "trust" is individual to a uid - so yes, people will need to  
come over and see you, check your thumbprint, and then decide to  
trust your new email address belongs to you..  you shouldn't need to  
get a new key -- just a new uid (email address) on that same key.

I trust all "my" uids on the key... all 11 of them.. :)  Some people  
trust mine.  I've even had some guy call my cell after reading the  
comment in my work one about checking that you trust it.

Last login: Thu Mar  2 20:16:09 on ttyp1
Welcome to Darwin!
Onyx:~ jo$ gpg --edit-key THATLONGHEXKEYTHATGOESHERE
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  1024D/C8B4C54C  created: 2004-03-17  expires: 2009-03-16  usage: CS
                      trust: ultimate      validity: ultimate
sub  2048g/C567E300  created: 2004-03-17  expires: 2009-03-16  usage: E
[ultimate] (1). Joseph Booth (Mangee) <jo at mangee.net.nz>
[ultimate] (2)  Jo Booth (WelMac - Wellingtons Biggest and Best Mac  
User Group!) <jo at welmac.org.nz>
[ultimate] (3)  Jo Booth (iChat/AIM address - chat me!) <mangee at  
mac.com>
[ultimate] (4)  Jo Booth (YIM) <jb_mangee at yahoo.com>
[ultimate] (5)  Jo Booth (MSN) <jbmangee at hotmail.com>
[ultimate] (6)  [jpeg image of size 16695]
[ultimate] (7)  Jo Booth (PHPUG) <nospam at mangee.net.nz>
[ultimate] (8)  Jo Booth (Wellington Curry Based Lifeforms) <tnc at  
mangee.net.nz>
[ultimate] (9)  Jo Booth (Mesh|net - http://mesh.net.nz - Community  
Broadband Connectivty) <jo at mesh.net.nz>
[ultimate] (10)  Jo Booth (Jo - Unlimited Potential Committee) <jo at  
up.org.nz>
[ultimate] (11)  Jo Booth (Mangee, the geek at Mangee|net) <thegeek  
at mangee.net.nz>

Ick.  I just went "showphoto"  thats a dodgy pic :)


I get a "Bad signature from Jethro D Carr (Dodocaptain) <dodocaptain  
at paradise.net.nz>!" sometimes when you sign with that key - dunno why.


Anyway.. you can keep the change.
On 2/03/2006, at 19:26 , Jethro Carr wrote:

> On Thu, 2006-03-02 at 17:36 +1300, David Murray wrote:
>> On Thu, 2 Mar 2006, Jonathan Harker wrote:
>>
>>> Jethro Carr wrote:
>>>> So say you signed "jethro.carr at jedolinux.com", if I changed my  
>>>> email to
>>>> "jethro.carr at some_place_other_than_microsoft.com", your signature
>>>> against my key would be "lost", as the signature was against the  
>>>> old
>>>> email address/UID.
>>>>
>>>> does that make sense? :-/
>>>
>>> I understand exactly, I have same problem. I don't know either.  :-)
>
> pity. :-(
>
> that will teach me to change email addresses!
>
>> Perhaps this is to ensure that the signature is for the one person  
>> at the
>> one email address, and for no other.
>>
>>
>> Thus, if you want a new email address, you will need a new  
>> signature, and
>> people will need to again verify you are who you say you are.
>>
>> That kinda makes sense to me, given that pgp signatures are  
>> intended to
>> ensure person to person communication.
>>
>> Aren't they?
>
> yes, but people often have more than 1 address.
>
>
> -- 
> Jethro Carr
>
> www.jethrocarr.jedolinux.com
> www.jethrocarr.jedolinux.com/index.php?page=cv/cv.php
>
>
> -- 
> Wellington Linux Users Group Mailing List:  
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20060302/457eea23/attachment.pgp

More information about the wellylug mailing list