Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
pius fails to sign User IDs that have no e-mail address #109
some keys, like 25FC1614B8F87B52FF2F99B962AF4031C82E0039, have a user ID that has no e-mail address.
If the user indicates that they intend to certify that user ID, its certification should be attached to any other certification that can be sent -- so the certifications are sent in tandem.
So for example, if an OpenPGP certificate looks like:
then the e-mail that goes to
That way, if the recipient gets any of the e-mails, they can see a certification over the user ID that has no e-mail address.
(this is how caff treats this kind of User ID, as well as how it treats User Attributes (attached photos), fwiw -- i've raised an issue about how pius deals with User Attributes in #110)
referenced this issue
Jan 19, 2019
That would be a security issue for sure. If I have a key like:
And I use your proposed algorithm, the user now validates that this individual is Bill Clinton. Now, granted, one should look down the list of all UIDs before signing, but I think this behavior would be super misleading.
It is an interesting question on how to handle this though. I'm thinking something like an extra prompt. Something like:
We could do the same thing for photo UIDs...