key fingerprints - a practice question
Sun Jul 27 00:11:03 2003
Content-Description: signed data
On Saturday 26 Jul 2003 9:38 pm, William L Anderson wrote:
> What is (are) the established practice(s) for distributing key
In person is best, by preference in a pre-printed format given to you=20
face-to-face by the owner of that key - no third parties involved.
> I used to see mail that had fingerprints as part of message
> signatures, but this doesn't seem to be very common now. Are there
> security issues here?
More that it is a little pointless. I don't need your fingerprint until I n=
to sign your key. I will not sign your key until I meet you in person and=20
verify your identity with photo ID AND have already verified your email=20
address via the list and often private email too.=20
Only sign keys after verifying the person AND the email address in person. =
cannot trust the signature of anyone who does not properly verify the perso=
behind the key they are about to sign.
> Or is it a better practice to simply sign messages?
I'd say definitely, yes. Your signature identifies your public key and I ca=
retrieve it from a keyserver automatically from that. I don't need your=20
fingerprint to import your key or to validate your signature.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----