key fingerprints - a practice question
Adrian 'Dagurashibanipal' von Bidder
Mon Jul 28 10:28:02 2003
Content-Description: signed data
On Sunday 27 July 2003 00:12, Neil Williams wrote:
> On Saturday 26 Jul 2003 9:38 pm, William L Anderson wrote:
> > I used to see mail that had fingerprints as part of message
> > signatures, but this doesn't seem to be very common now. Are there
> > security issues here?
> More that it is a little pointless. I don't need your fingerprint until I
> need to sign your key. I will not sign your key until I meet you in person
> and verify your identity with photo ID AND have already verified your ema=
> address via the list and often private email too.
Not so sure. Scenario: I don't have my key signed by others, but I use it=20
occasionally. Putting the fingerprint in my mail .sig makes it harder for=20
somebody to replace that key: he'd need to hunt down all the emails I've se=
in the past, where my fingerprint is listed. If I write to mailinglists, th=
may mean crack several web archives + the google cache etc.
Of course, signing all email achieves the same, and more. And of course, th=
can not replace a proper key signing. But for 'I send this encrypted mail t=
the same guy who always posts on this mailing list' sort of identification,=
it suffices - especially since there is no need to really identify the pers=
behind the mail address, it's only important that it's the same person.
Hope you get what I mean
Could this mail be a fake? (Answer: No! - http://fortytwo.ch/gpg/intro)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e