key fingerprints - a practice question

David Shaw dshaw@jabberwocky.com
Mon Jul 28 03:22:02 2003


--GLp9dJVi+aaipsRk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 27, 2003 at 01:56:41PM +0200, Johan Parin wrote:
> David Shaw writes:
>=20
>   David> Except in one (fairly uncommon) case - if you are using a
>   David> signing subkey, then the keyid in the signature cannot (yet)
>   David> be used to retrieve the key from a keyserver.  In that case,
>   David> a fingerprint (or keyid) is helpful.
>=20
> I can see that you have *both* keyid, fingerprint *and* an
> X-Request-PGP URL in your message headers. Is this just to provide
> redundant means of aquiring your key in case keyserver / web server is
> down, or is there another thought behind this, like a URL can be
> hijacked and the fingerprint can then be used to verify the downloaded
> key? For retrieval purposes from keyservers, isn't the keyid
> sufficient or are there servers which will let you search by
> fingerprint but not by keyid?

Since I use a signing subkey, I need to give a fingerprint or keyid to
fetch the main key.  I added the URL because many keyservers can't
handle my key (either because the primary is v4 RSA, or because there
is more than one subkey).

The keyid is sufficient, but since v4 keyids are just a truncated v4
fingerprint, I give whole thing and let keyservers index on however
many bits they like.

David

--GLp9dJVi+aaipsRk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iEYEARECAAYFAj8kewMACgkQ4mZch0nhy8me7gCgpOADwiHCOFIw3cRswY9m2R2C
sLEAn0PmPaIlVa6qx5y0O7di1m83jXkw
=p4v4
-----END PGP SIGNATURE-----

--GLp9dJVi+aaipsRk--