making it easy to find keys

Jean-David Beyer jdbeyer at exit109.com
Fri Dec 5 07:43:52 CET 2003 

Thomas Sjögren wrote:
> On Fri, Dec 05, 2003 at 10:37:45AM +0000, Stewart V. Wright wrote:
> 
>>>  X-OpenPGP-KeyID: 
>>>  X-OpenPGP-Fingerprint: 
>>>  X-OpenPGP-URL: 
>>
>>Why?  If you sign a message the recipient already gets the
>>KeyID/Fingerprint information.  
> 
> 
> Yes, but if the person haven't uploaded the key to a keyserver an extra
> header convinient way to find it.
> 
> 
>>What do the two extra headers gain
>>you?  
> 
> 
> Convinient for parsing and for looking up keys that isn't on a
> keyserver.
> 
> 
>>Or at the very least why both KeyID and Fingerprint?
> 
> Agreed, no need to add the KeyID if the fingerprint is present, and I'd
> rather see the fingerprint instead of just the KeyID.
> 
I happen to put in:

X-PGP-Key: 9A2FC99A
X-PGP-KeyServer: keyserver.kjsl.com
X-PGP-Fingerprint: CC3C 3A4D D593 3491 DA41  8FE9 3EDB B65E 9A2F C99A

which is, of course, excessive. I put the key in so someone receiving 
this can look the key up. I put a keyserver in there with the key 
correct, since many keyservers have mine either wrong or very out of 
date, and the fingerprint for what seems to me to be a very weak reason.

If I were to receive a GPG | PGP signed e-mail, I would still be in 
doubt if the person who sent it to me were really the person I think it 
was. And so far, WOT not withstanding (there is only one person in my 
WOT, and I do not know him well enough to be sure how strict he is with 
his signing other people's keys, and I know NONE of the people on his 
publically available key. So basically I have no web of trust. Of course 
none of my correspondents take security seriously anyway, and none have 
keys of either the PGP or VeriSign type, so I really get no use out of 
it other than trying to set a good example.

The only way that I can think of is to speak with the sender over the 
telephone, provided the sender is someone I know, and whose voice I can 
pretty unambiguously identify, and exchange a few obscure facts. Even 
then, though, I must assume such a person is not under duress, but I do 
not think I am _that_ paranoid.

-- 
   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine    73926.
  /( )\ Shrewsbury, New Jersey     http://counter.li.org
  ^^-^^ 7:30am up 2 days, 20:16, 3 users, load average: 2.28, 2.21, 2.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4477 bytes
Desc: S/MIME Cryptographic Signature
Url : /pipermail/attachments/20031205/57d09b5d/smime.bin

More information about the Gnupg-users mailing list