validating other keys on your public keyring

David Scribner dscribner@yahoo.com
Thu Oct 24 09:14:02 2002


--- Tuyen DINH <tuyen.dinh@risc.fr> wrote:
>  * is it equivalent or less secure to personally check the
> person's
>    keyid ?

It is less secure to use the keyid. Since you're using fewer
bits to check the key with, there is of course a greater chance
that there will exist more than one key with that key ID. Of
course, there's also a very slim chance that more than one key
would have the same fingerprint, but it's certainly less
error-prone to compare fingerprints than manually (by hand)
checking every character in the entire key block.

>  * and why do most of people send their fingerprint in their
> message,
>    since the fingerprint is the thing you want to check
> personally ?

Say perhaps that your key is out there, on a keyserver or web
page for example. By having your key's fingerprint "advertised"
in your email signature, someone can be reasonably sure that the
key hasn't been tampered with if the fingerprint matches what's
in your email, especially if your email signatures exist
multiple times in multiple places (such as mailing lists). If
the keyserver or web sites lists a key's fingerprint, and that
fingerprint matches what's on your email, it's just another
little measure of security.

Also, by having your key's fingerprint (or key ID) listed in
your email sig, you advertise PK use and may stir a few
questions from recipients, giving you a chance to evangelize and
enlighten.

HTH

=====
David D. Scribner
IT Consulting & Services
CompTIA Linux+, Network+, A+ Certified
Ph: (817) 461-4018        eFax: (630) 214-7769
dscribner_at_bigfoot.com  http://www.bigfoot.com/~dscribner/
GnuPG/PGP: 3172 7408 58CA D9C2 F697  950F 9DDC 7AC7 91EC 5F06

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/