Re: [OT] : gpg fingerprint in mail's signature ? - Was: Re: RFS: gtkwhiteboard (now dfsg compatible)
On Sunday 22 June 2008, The Fungi wrote:
> On Sun, Jun 22, 2008 at 05:41:11PM +0200, Olivier Berger wrote:
> > Is there any use in adding your fingerprint to the signature ? ... It
> > seems misleading at least, if users think they can trust that... and
> > without the public key, it's useless anyway.
> It's assumed that your public key can be commonly found on public
> keyservers or by fingering your address. Putting your key
> fingerprint in your .sig is *obviously* not equivalent to
> cryptographically signing a particular message, but it does help
> others identify that they've looked up the correct key for you if
> they want to encrypt a response to you. It's only potentially
> misleading if someone doesn't understand PKI in the first place, but
> then what's the point of avoiding misleading someone about something
> they don't know how to use in the first place?
;-) Well yes, people who are unable to make the difference between a
cryptographically signed message and such that merely contains a key
fingerprint at the end could not be a factor with regard to the originator
identification and verification process, since they don't know what to verify
anyway and since it is a well known fact that everybody can write a message
with any free-form text appended at the end ;-)
> I don't know if the
> extra 40 characters make my .sig obscenely larger, but if they did I
> might shorten it to a key ID instead.
In order to shorten my appendix with one line I decided on key ID only
instead, which is enough for public key diggers.
pub key ID 0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>