key fingerprints - a practice question

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Mon Jul 28 10:28:02 2003


--Boundary-02=_qzNJ/iNpFDnijwW
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 27 July 2003 00:12, Neil Williams wrote:
> On Saturday 26 Jul 2003 9:38 pm, William L Anderson wrote:

> > I used to see mail that had fingerprints as part of message
> > signatures, but this doesn't seem to be very common now. Are there
> > security issues here?
>
> More that it is a little pointless. I don't need your fingerprint until I
> need to sign your key. I will not sign your key until I meet you in person
> and verify your identity with photo ID AND have already verified your ema=
il
> address via the list and often private email too.

Not so sure. Scenario: I don't have my key signed by others, but I use it=20
occasionally. Putting the fingerprint in my mail .sig makes it harder for=20
somebody to replace that key: he'd need to hunt down all the emails I've se=
nt=20
in the past, where my fingerprint is listed. If I write to mailinglists, th=
at=20
may mean crack several web archives + the google cache etc.

Of course, signing all email achieves the same, and more. And of course, th=
is=20
can not replace a proper key signing. But for 'I send this encrypted mail t=
o=20
the same guy who always posts on this mailing list' sort of identification,=
=20
it suffices - especially since there is no need to really identify the pers=
on=20
behind the mail address, it's only important that it's the same person.

Hope you get what I mean

greets
=2D- vbi


=2D-=20
Could this mail be a fake? (Answer: No! - http://fortytwo.ch/gpg/intro)

--Boundary-02=_qzNJ/iNpFDnijwW
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj8k3OpgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fWDH0Aninn+DyEL7dyvkfoYHkgfzyy
XKaZAKCPARp3QwnJ+i/fiAWsk6oH6GcocA==
=oLrN
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e

--Boundary-02=_qzNJ/iNpFDnijwW--