If a GPG key's primary user ID is not fully trusted, the function "use_untrusted()" in "src/plugins/pgpcore/select-keys.c" runs and shows a message warning of the untrusted key.

Trust is based on the presence or absence of signatures, and each signature is attached to a user ID, not to the key as a whole. Therefore, each user ID can have a different level of validity within the same key. Therefore, Claws ought to check the validity of the user ID corresponding to the e-mail address to which the message is being sent, NOT the primary user ID of the key. By signing a user ID, I assert not only that the key belongs to the person whose name appears in the UID, I also assert that the e-mail address on the UID belongs to the person. If I have made this assertion for some e-mail addresses and not others, those addresses for which I have made the assertion should not provoke a warning.

Even worse, if I have asserted the primary UID's e-mail address, I would *not* get a warning when sending mail to a secondary address which I've never checked! This means that if Alice phones up Mallory and verifies her key fingerprint and that her e-mail address is mallory@example.com, then signs her key, all Mallory has to do is add bob@example.com as a secondary UID to her key and wait for Alice to refresh her keys from the keyserver. When Alice sends Bob a message, if she's forgotten to first download Bob's key, she will unwittingly encrypt it to Mallory. Claws will show no warning message, even though Alice never signed Mallory's bob@example.com UID!