Re: [OT] : gpg fingerprint in mail's signature ? - Was: Re: RFS: gtkwhiteboard (now dfsg compatible)

[George Danchev <danchev@spnet.net>]

On Sunday 22 June 2008, The Fungi wrote:
> On Sun, Jun 22, 2008 at 05:41:11PM +0200, Olivier Berger wrote:
> > Is there any use in adding your fingerprint to the signature ? ... It
> > seems misleading at least, if users think they can trust that... and
> > without the public key, it's useless anyway.
>
> It's assumed that your public key can be commonly found on public
> keyservers or by fingering your address. Putting your key
> fingerprint in your .sig is *obviously* not equivalent to
> cryptographically signing a particular message, but it does help
> others identify that they've looked up the correct key for you if
> they want to encrypt a response to you. It's only potentially
> misleading if someone doesn't understand PKI in the first place, but
> then what's the point of avoiding misleading someone about something
> they don't know how to use in the first place? 

;-) Well yes, people who are unable to make the difference between a 
cryptographically signed message and such that merely contains a key 
fingerprint at the end could not be a factor with regard to the originator 
identification and verification process, since they don't know what to verify 
anyway and since it is a well known fact that everybody can write a message 
with any free-form text appended at the end ;-)

> I don't know if the 
> extra 40 characters make my .sig obscenely larger, but if they did I
> might shorten it to a key ID instead.

In order to shorten my appendix with one line I decided on key ID only 
instead, which is enough for public key diggers.

-- 
pub key ID 0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>