On Monday 07 February 2005 22:11, Sam Sargeant wrote: [Interestingly this message, and the one Sam sent 2 minutes before this, took two days to retry sending direct to me and the copies via the list never got to me at all -- Does mailman try to eliminate sending duplicates?]
How would further verification of the email address increase security or trust? By providing their key, and confirming it during the key-signing, the owner is implying the email addresses listed are valid.
The same argument could be made for the real name - why do we insist on photo ID to confirm that "some official entity" says this person is who they say they are, after all what we _know_ is that key belongs to that person we met at the key-signing.
I'm happy to confirm my email address via these means, although I don't see enough benefit for me to verify other addresses myself. I would say, as Ewen mentioned, that sending the signed key in an encrypted message is probably best. That way we avoid cluttering the key-servers with what may be useless keys. I shall do that next time. :)
Certainly when signing a single uid Ewen's approach is fine and there would also be many situations when you have additional reasons to associate the email address with "the body you met". The process I gave merely gives one way of associating the email address and body controlling the key if you are inclined to test it (or how paranoid you feel on the day). When it comes down to it its your call what information you need to sign something and what level of trust you place on things signed by someone else. cheers mark