Mon Jan 28 17:17:02 2002
Many pgp/gpg users put their key fingerprint in the email header or body
and usually they also give an URL address to download the key from. How is
secure to check a key gotten from a keyserver following these steps?
1) check the fingerprint specified in the email
2) download the key from the specified URL in the email and see if it is
the same key
If I want to tamper a public key, I may write down a message, sign it with
my tampered public key, upload that key to a keyserver, specify the
fingerprint of that tampered key in the email header and finally give an
URL which people can get the same tampered key from. In this case the key
downloaded from both the keyserver and the URL are the same. Obviously,
the fingerprint seems alright too!
So are all these information usefull at all? if I send an email to a
person I don't know, how can he be more confident about the authenticity
of my public key?
A girl's best friend is her mutter.
-- Dorothy Parker