Key Signing
Matthias Urlichs
smurf@noris.de
Mon Apr 30 11:42:01 2001
Hi,
David Turner:
> For example, if we were to organise a password at the meeting, then he
> goes home and sends me an encrypted email containing the password and his
> fingerprint, even if an interceptor spotted he had sent a mail entitled
> "My Fingerprint" he wouldn't be able to spoof that mail because he
> wouldn't know the password.
>
That's the only way, basically. Obviously you'll have to trust the
person not to divulge the passwort to anyone, not to use it in any
other context where it could be observed, etc., for varying levels of
paranoia. ;-)
You might want to use a one-time-password (for example, use one of these
cool 20-faced RPG dice and ignore results >15). XORing the result of
these dice throws with the key fingerprint is left as an exercise to the
reader...
--
Matthias Urlichs | noris network AG | http://smurf.noris.de/