[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG fingerprints

> Then, get in touch with me by some secure means and confirm that

I think rather that "secure" it might be better to say "using some
other means of authentication".  "Authentication" can mean a lot of
things, with the method depending on the level of security required (a
phone call to quote the fingerprint may be sufficient where you would
recognise the persons voice and the data being transferred is not
critical), but it definitely means "through a different channel.

I mention this because a friend/colleague use to send his GPG public
key to people via email, and then placed his key fingerprint in his
.sig, in the belief that this would enhance security (not to mention
his geek-cred).  A five minute explanation of the principle of a
man-in-the-middle attack, followed by a swift bat upside the head with
a copy of "Applied Cryptography" seemed to do the trick, and he
sheepishly removed it.

This same person is now contracting out his services as, among other
things, a "security expert".

Caveat Emptor,

Reply to: