Including public key

Jay Litwyn brewhaha at
Sat Jul 30 04:22:12 CEST 2011


On 2011-07-29 6:03 PM, MFPA wrote:
> Hi
> On Thursday 28 July 2011 at 4:22:52 PM, in 
> <mid:4E317ECC.1060107 at>, Jay Litwyn wrote:
>> Do not sign my photo until you see me in person,
> OK, fair enough. If the key has WoT signatures from people I trust
> to have such a policy. But in the case of the OP's key with only 
> self-signatures, the inclusion of a photo would do nothing to
> reassure me.

I was just looking at the pgp global directory signing key (the machine
that signed my key). About twenty revokation certificates are on it,
including prz at

>> although it would be tricky to fake photo-id production on skype.
>> Photo-id doesn't make very good single frames, but change the angle
>> on television and those chrome things flicker and move...
> OK, use a TV projector and point your webcam at the screen.

I do not hav a webcam, and I do not know why
you want me to create feedback.

>>> A phone number would only help if the person ringing it knew you
>>> well enough to recognise your voice on the phone. Even then,
>>> somebody  could record your voice and use it create an
>>> answerphone message...
>> That is what a signed mp3 in my comment is about,
> Signed with the key, and somebody who knows you could recognise your 
> voice if they play the file. Arguably, "Mallory" could make
> recordings of your voice and use them to create such a file and sign
> it with their fake key.

Not if she wants any coherence in the tune; not that there is a lot,
mind you: It was straight a-cappella. All you can ever do is make a man
in the middle attack harder. Live conversation makes it harder.

>> and just in case you do not follow links in message source 
>> [comments] very often...
> Like almost never. (-;
>> (I will
>> never call it a thumbprint or a fingerprint; key hash)
> Why not? Using the standard term of "Fingerprint" rather than 
> "Keyprint_Biometric" might lead more people to understand what the 
> file was likely to be.

The picture of a thumb in PGP bugs me.
PGP also features a list of words, instead of hexadecimal.
It calls *that* a biometric print; not unless you voice it somewhere,
and it won't work with GPG, which would need the same dictionary.

>> Additionally, you can do a reverse lookup on my phone number
> I could possibly pay somebody with law enforcement connections to do 
> that.

A link is from my phone number on my web site: to my snail address if you want. In 1990, if
I wanted to do a reverse lookup, I could go to the library. There they
had about nine square metres dedicated to phone books in North America
(I think that's where they drew the line, anyway). My library also had a
reverse directory for Edmonton. By 1996, they were doing the same thing
with a computer and disks; much less space, many more search options.
Today, I do not hav to go anywhere, my white pages are useless for
looking up businesses, and reverse lookup (for this country) iz at: (under other search options)

>> and at least see if I am lying about my given and family names,
>> according to a corporation that my library used to verify my
>> identity.
> Assuming the phone is billed to you personally, and that you gave
> your real name when setting up the service.

They required my social security number.
Nobody is perfect. I am nobody. Therefore, I am perfect.
Why would anyone go to such lengths to impersonate me electronically?

> I once had a library check on my phone number, by getting out the 
> phone book and finding my surname and address and comparing the
> number listed to the one I gave them. (That was when I was in my
> teens and lived with my parents, so the initial would not have
> matched my first name.)
>> My bottom line is that photos and phone numbers do not hurt.
> Depends on the user's privacy requirements and threat model.

"Enerjize", said Kirk, then a pink drummer bunny appeared.
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list