In message <200502071721.05162.mark(a)mcs.vuw.ac.nz>, Mark Davies writes:
So from the key signing party we should be in the position that for anyone we have verified we are happy that the pgp key we have the fingerprint for is indeed for the person we met but the one thing that the process hasn't done is confirm that all the email addresses listed in the key are under the control of that person.
To achieve this last step here is a process (lifted from the NetBSD developers PGP guidelines): [...]
I agree that the "keysigning" party approach generally bypasses actually confirming the email addresses really belong to the person in control of the key. (Which is unfortunate as the email address tends to be one of the more trusted parts.) The usual approach I've seen to confirm that the email address is correct is to send the signed key to the email address listed, encrypted with the key. And not upload the key/signature to a key server. That way only the person in control of both the email address (used) and the key is able to gain access to the signature, and it's not visible to anyone else until they've done so. The NetBSD approach seems to go further and confirm all the uids, providing one follows the elaborate process of tracking each "challenge" that is sent out against the particular uid it belongs to. But I'm not sure it's always necessary if one only signs uids one has other reasons to know are associated with the person in question. (I generally avoid signing uids for which I don't recognise the email address, for instance, unless it's the one to which the key is being sent.) As it happens I've already seen half a dozen new signatures for my key uploaded to the keyservers and not emailed to me, so those people presumably trust the email address for other reasons. Ewen