so, like, what's to stop me from writing a program (based on pgp source code) which can delete user IDs from my own keys after other folks have signed them? in fact, how *can* i change the user ID on a key after it has been signed? the pgp docs are unclear on how this works. can someone help me to understand what it means exactly when a key is signed? what parts of the key are certified by the signature?
Hi. A signature on a key is a cryptographic signature of the key and userid. Therefore, you cannot remove your userid from the key and hope to keep the signatures valid. The other problem is that once other people have your userid on your key, which is neccessary for them to sign it, then you need to have them remove it, too, etc. Basically, signatures and userids currently act like viruses... Once they escape, its nearly impossible to contain them again.... -derek Derek Atkins, MIT '93, Electrical Engineering and Computer Science Secretary, MIT Student Information Processing Board (SIPB) MIT Media Laboratory, Speech Research Group warlord@MIT.EDU PP-ASEL N1NWH
participants (2)
-
Chuck Lever -
Derek Atkins