signing keys

Davide Cavallari
Mon Jan 28 17:17:02 2002

Many pgp/gpg users  put their key fingerprint in the  email header or body
and usually they also give an URL address to download the key from. How is
secure to check a key gotten from a keyserver following these steps?

1) check the fingerprint specified in the email

2) download the key  from the specified URL in the email and  see if it is
the same key

If I want to tamper a public key, I may write down a message, sign it with
my  tampered public  key,  upload that  key to  a  keyserver, specify  the
fingerprint of that  tampered key in the email header  and finally give an
URL which people can get the same  tampered key from. In this case the key
downloaded from  both the keyserver and  the URL are the  same. Obviously,
the fingerprint seems alright too!

So are  all these  information usefull  at all? if  I send  an email  to a
person I don't  know, how can he be more  confident about the authenticity
of my public key?
    Davide Cavallari                
A girl's best friend is her mutter.
		-- Dorothy Parker