key fingerprints - a practice question

Neil Williams
Sun Jul 27 00:11:03 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 26 Jul 2003 9:38 pm, William L Anderson wrote:
> What is (are) the established practice(s) for distributing key
> fingerprints?

In person is best, by preference in a pre-printed format given to you=20
face-to-face by the owner of that key - no third parties involved.

> I used to see mail that had fingerprints as part of message
> signatures, but this doesn't seem to be very common now. Are there
> security issues here?

More that it is a little pointless. I don't need your fingerprint until I n=
to sign your key. I will not sign your key until I meet you in person and=20
verify your identity with photo ID AND have already verified your email=20
address via the list and often private email too.=20

Only sign keys after verifying the person AND the email address in person. =
cannot trust the signature of anyone who does not properly verify the perso=
behind the key they are about to sign.

> Or is it a better practice to simply sign messages?

I'd say definitely, yes. Your signature identifies your public key and I ca=
retrieve it from a keyserver automatically from that. I don't need your=20
fingerprint to import your key or to validate your signature.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)