key fingerprints - a practice question

Neil Williams linux@codehelp.co.uk
Sun Jul 27 00:11:03 2003


--Boundary-02=_czvI/2i26qIZV97
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 26 Jul 2003 9:38 pm, William L Anderson wrote:
> What is (are) the established practice(s) for distributing key
> fingerprints?

In person is best, by preference in a pre-printed format given to you=20
face-to-face by the owner of that key - no third parties involved.

> I used to see mail that had fingerprints as part of message
> signatures, but this doesn't seem to be very common now. Are there
> security issues here?

More that it is a little pointless. I don't need your fingerprint until I n=
eed=20
to sign your key. I will not sign your key until I meet you in person and=20
verify your identity with photo ID AND have already verified your email=20
address via the list and often private email too.=20

Only sign keys after verifying the person AND the email address in person. =
I=20
cannot trust the signature of anyone who does not properly verify the perso=
n=20
behind the key they are about to sign.

> Or is it a better practice to simply sign messages?

I'd say definitely, yes. Your signature identifies your public key and I ca=
n=20
retrieve it from a keyserver automatically from that. I don't need your=20
fingerprint to import your key or to validate your signature.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://slashdot.org/~codehelp



--Boundary-02=_czvI/2i26qIZV97
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/IvzciAEJSii8s+MRAt0HAKCOkO706wIUGBdidCjZ2bnlO+3PKACgnz1f
VhXW+N8gSX0C6EIpmwQTn4I=
=YmRW
-----END PGP SIGNATURE-----

--Boundary-02=_czvI/2i26qIZV97--