Subject: Re: BPG call for use cases
To: Martin Husemann <>
From: Curt Sampson <>
List: tech-security
Date: 07/22/2005 17:55:47
On Fri, 22 Jul 2005, Martin Husemann wrote:

> It is pretty obvious for the user what an identity is. Attached to this
> identity there are multiple eMail addresses and keys.

First of all: my fault; I was saying identity when I ought to have been
saying "User ID". Whether you understood "identity" to be "User ID" and
your description above is incorrect, or you're incorrectly calling user
IDs "eMail addresses," I'm not sure.

Regardless, I'd say that this already starts to point out the confusion
here, and certainly in teaching people reasonably competent with
computer how to use PGP, it's been my experience that they consider the
User ID to be part of the key, and not something separate.

This can lead to various misunderstandings, such as trusting a User ID
on the basis of signatures on a different User ID, generating a new key
when you need generate only a new User ID, or signing all the User IDs
on a key when you've verified only one of them.

At any rate, it would be interesting if someone with a fair amount of
experience teaching people to use one or more PGP programs would write
up a document describing common misunderstandings that users have and
errors that they make.

And I'm sure that those who feel strongly enough about having a certain
type of interface will use the toolkit to write an implementation of
that interface themselves. This is, after all, one of the points of the

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA