key fingerprints - a practice question

David Shaw
Mon Jul 28 03:22:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 27, 2003 at 01:56:41PM +0200, Johan Parin wrote:
> David Shaw writes:
>   David> Except in one (fairly uncommon) case - if you are using a
>   David> signing subkey, then the keyid in the signature cannot (yet)
>   David> be used to retrieve the key from a keyserver.  In that case,
>   David> a fingerprint (or keyid) is helpful.
> I can see that you have *both* keyid, fingerprint *and* an
> X-Request-PGP URL in your message headers. Is this just to provide
> redundant means of aquiring your key in case keyserver / web server is
> down, or is there another thought behind this, like a URL can be
> hijacked and the fingerprint can then be used to verify the downloaded
> key? For retrieval purposes from keyservers, isn't the keyid
> sufficient or are there servers which will let you search by
> fingerprint but not by keyid?

Since I use a signing subkey, I need to give a fingerprint or keyid to
fetch the main key.  I added the URL because many keyservers can't
handle my key (either because the primary is v4 RSA, or because there
is more than one subkey).

The keyid is sufficient, but since v4 keyids are just a truncated v4
fingerprint, I give whole thing and let keyservers index on however
many bits they like.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at