Re: GPG fingerprints

To: debian-security@lists.debian.org
Subject: Re: GPG fingerprints
From: Steve <tarka@zip.com.au>
Date: Mon, 17 Sep 2001 19:42:05 +1000
Message-id: <[🔎] 15269.50541.37628.117738@colderidge.tarka.org>
In-reply-to: <[🔎] 20010914222325.A6393@morgul.net>
References: <[🔎] E15i4nG-0008Mc-00@braindead.automatedproperties.com> <[🔎] 20010914222325.A6393@morgul.net>

> Then, get in touch with me by some secure means and confirm that
<snip>

I think rather that "secure" it might be better to say "using some
other means of authentication".  "Authentication" can mean a lot of
things, with the method depending on the level of security required (a
phone call to quote the fingerprint may be sufficient where you would
recognise the persons voice and the data being transferred is not
critical), but it definitely means "through a different channel.

I mention this because a friend/colleague use to send his GPG public
key to people via email, and then placed his key fingerprint in his
.sig, in the belief that this would enhance security (not to mention
his geek-cred).  A five minute explanation of the principle of a
man-in-the-middle attack, followed by a swift bat upside the head with
a copy of "Applied Cryptography" seemed to do the trick, and he
sheepishly removed it.

This same person is now contracting out his services as, among other
things, a "security expert".

Caveat Emptor,
Steve

Reply to:

Follow-Ups:
- Re: GPG fingerprints
  - From: Wade Richards <wrichard@direct.ca>

References:
- GPG fingerprints
  - From: Warren Turkal <wturkal@cbu.edu>
- Re: GPG fingerprints
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

Prev by Date: Absolutely can't disable Keyboard-Interactive authentication in OpenSSH.
Next by Date: Seeking for a Debian Security Secretary
Previous by thread: Re: GPG fingerprints
Next by thread: Re: GPG fingerprints
Index(es):
- Date
- Thread