key fingerprints - a practice question

Johan Parin
Sun Jul 27 13:56:01 2003

Content-Transfer-Encoding: quoted-printable

David Shaw writes:

  David> Except in one (fairly uncommon) case - if you are using a
  David> signing subkey, then the keyid in the signature cannot (yet)
  David> be used to retrieve the key from a keyserver.  In that case,
  David> a fingerprint (or keyid) is helpful.

I can see that you have *both* keyid, fingerprint *and* an
X-Request-PGP URL in your message headers. Is this just to provide
redundant means of aquiring your key in case keyserver / web server is
down, or is there another thought behind this, like a URL can be
hijacked and the fingerprint can then be used to verify the downloaded
key? For retrieval purposes from keyservers, isn't the keyid
sufficient or are there servers which will let you search by
fingerprint but not by keyid?

Johan Parin <>

Content-Type: application/pgp-signature

Version: GnuPG v1.2.2 (GNU/Linux)