[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG fingerprints

Hi,

On Mon, 17 Sep 2001 19:42:05 +1000, Steve writes:
>I mention this because a friend/colleague use to send his GPG public
>key to people via email, and then placed his key fingerprint in his
>.sig, in the belief that this would enhance security (not to mention
>his geek-cred).  A five minute explanation of the principle of a
>man-in-the-middle attack, followed by a swift bat upside the head with
>a copy of "Applied Cryptography" seemed to do the trick, and he
>sheepishly removed it.

I think that many people put their fingerprint in their e-mail signature 
to exploit the Internet's archiving capability.  If I e-mail you my public 
key, you should not pay attention to the fingerprint in the signature of 
that e-mail.  However, you can go to dejanews.com, or the debian mailing 
list archives, or your own "saved mail" folder, and notice that every 
single message from me has the same GPG fingerprint, even the messages 
that are months or years old.  From that, you can develop a degree of 
trust.

	--- Wade

PS: Don't bother looking for the GPG fingerprint, I don't bother with GPG 
yet.

-- 
 /"\  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
 \ /   ASCII Ribbon Campaign    | Wade Richards --- wrichard@direct.ca 
  X   - NO HTML/RTF in e-mail   | Fight SPAM!  Join CAUCE.
 / \  - NO Word docs in e-mail  | See http://www.cauce.org/ for details.
Reply to: