Subject: CAcert Code Development list.
List archive
- From: Benny Baumann <benbe AT cacert.org>
- To: pstarrev AT gmail.com, cacert-support AT lists.cacert.org, Developers CAcert <cacert-devel AT lists.cacert.org>
- Subject: Re: Can't sign PGP/GPG key uid without email address
- Date: Wed, 25 Feb 2015 18:25:52 +0100
Hi Peter,
Am 25.02.2015 um 16:17 schrieb
pstarrev AT gmail.com:
> Hi,
>
> The questions I have are about a PGP-key with 3 uids, 2 with and 1 without
> an
> e-mail address. I have tried to get the uid without the e-mail adress signed
> but to no avail.
There is one pending change in the OpenPGP code, currently up for review
on the testserver which fixes some issues with umlauts and other
non-ASCII chars. As I see it you should not be affected by this issue
(cf. #8 and #1354 on the bugtracker).
>
> Before sending out this request for support I have carefully studied the
> CAcert Mantis bug items below and the PGP key signing FAQ in an attempt to
> prevent wasting everybody's precious time:
>
> 0000343: Don't get my gpg key signed, but no error message
> 0000442: Can't sign PGP/GPG keys without email address
> 0000447: You can have any arbitrary userid signed with the cacert root key
Those three bugs have been closed for years now and except for thesecond
one they refer not to the name matching directly, but failures to parse
the key.
As stated in #442 no signing is done without also checking for an email
address that is registered in your account. As a PGP key without cannot
be matched that way (plus the reason given in #442 in that comment) the
key is not signed.
Also, due to some changes done since then the format for the UID was
further narrowed down to allow only "Name
<email AT domain.tld>"
where Name
can be any of "Firstname Lastname", "Firstname M Lastname", "Firstname
M. Lastname", "Firstname Middlename Lastname". If multiple middlenames
are present, only the initial of the first of them is allowed.
>
> I run this version of GnuPG: gpg (GnuPG) 1.4.16
>
> And this is the key involved (with the e-mail addresses slightly scrambled):
>
> pub 4096R/0x281EFEAA8CBD2C6F created: 2015-02-08 expires: 2016-03-30
> usage: SC
> trust: ultimate validity: ultimate
> sub 4096R/0xB6E846D3DFEC856E created: 2015-02-08 expires: 2016-03-30
> usage: E
> sub 4096R/0x8A93AC201BC2BC9C created: 2015-02-08 expires: 2016-03-30
> usage: S
> [ultimate] (1). Petrus Wilhelmus Starreveld (1959-03-30, Amsterdam, The
> Netherlands)
> [ revoked] (2) Petrus Starreveld <pstarrev at upcmail dot nl>
> [ revoked] (3) Petrus Starreveld <pstarrev at gmail dot com>
> [ultimate] (4) Petrus Wilhelmus Starreveld ("Piet") <pstarrev at gmail dot
> com>
> [ultimate] (5) Petrus Wilhelmus Starreveld ("Piet") <pstarrev at upcmail
> dot
> nl>
>
1 is missing the email address and thus cannot be bound to your account
in the software - and is thus not signed. This is intentional.
2 and 3 are fine if your account contains those two addresses.
4 and 5 are ignored because of the PGP comment. A bit of background
information on this can be found at
https://www.debian-administration.org/users/dkg/weblog/97
> I followed all suggestions mentioned in 0000343 and the FAQ (import secret
> key, split it and have each uid signed separately) and) even tried various
> combinations of uids but the signing bot keeps coming back with a variation
> on:
>
> 1 The format of the UID was not recognized. Please use 'Name (comment)
> <email@domain>'
> 2 Petrus Wilhelmus Starreveld pstarrev at gmail dot com Name
> and Email OK.
> 3 Petrus Wilhelmus Starreveld pstarrev at upcmail dot nl Name
> and Email OK.
>
> I have seen recent examples on keyservers of people having uids signed by
> CAcert that have no e-mail address connected, which causes me to believe
> that
> it should be possible but that I am doing something wrong or might be
> missing
> the proper level of assurance or something else to make this work.
Can you point me to example keys?
>
> My questions are:
> - Am I using a GPG version that fully supports this?
Yes.
> - Am I following the correct procedures?
Well, please read the note by dkg on comments in key UIDs. Also note the
accepted formats I posted above.
> - Might there be something in the offending uid that causes this?
It is missing the email address.
> - I have (only) 70 assurance points - might that be the problem?
No. With PGP the only check is for at least 50 points on that regard.
>
> I would really appreciate any help or guidance.
I hope I could at least clarify why this error occurs and why the UID is
not signed.
>
> Kind regards,
> Piet Starreveld
>
Regards,
Benny Baumann
CAcert Software Assessment Team
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: Can't sign PGP/GPG key uid without email address, Benny Baumann, 02/25/2015
- Re: Can't sign PGP/GPG key uid without email address, Mathias Bauer, 02/25/2015
- Re: Can't sign PGP/GPG key uid without email address, Piet Starreveld, 02/25/2015
- Re: Can't sign PGP/GPG key uid without email address, Benny Baumann, 02/26/2015
- RESOLVED [was: Re: Can't sign PGP/GPG key uid without email address], Piet Starreveld, 02/26/2015
- Re: Can't sign PGP/GPG key uid without email address, Benny Baumann, 02/26/2015
- Re: Can't sign PGP/GPG key uid without email address, Piet Starreveld, 02/25/2015
- Re: Can't sign PGP/GPG key uid without email address, Mathias Bauer, 02/25/2015
Archive powered by MHonArc 2.6.18.