Key Signing

Matthias Urlichs
Mon Apr 30 11:42:01 2001


David Turner:

> For example, if we were to organise a password at the meeting, then he
> goes home and sends me an encrypted email containing the password and his
> fingerprint, even if an interceptor spotted he had sent a mail entitled
> "My Fingerprint" he wouldn't be able to spoof that mail because he
> wouldn't know the password.
That's the only way, basically. Obviously you'll have to trust the person not to divulge the passwort to anyone, not to use it in any other context where it could be observed, etc., for varying levels of paranoia. ;-) You might want to use a one-time-password (for example, use one of these cool 20-faced RPG dice and ignore results >15). XORing the result of these dice throws with the key fingerprint is left as an exercise to the reader... -- Matthias Urlichs | noris network AG |