Re: GPG fingerprints
On Mon, 17 Sep 2001 19:42:05 +1000, Steve writes:
>I mention this because a friend/colleague use to send his GPG public
>key to people via email, and then placed his key fingerprint in his
>.sig, in the belief that this would enhance security (not to mention
>his geek-cred). A five minute explanation of the principle of a
>man-in-the-middle attack, followed by a swift bat upside the head with
>a copy of "Applied Cryptography" seemed to do the trick, and he
>sheepishly removed it.
I think that many people put their fingerprint in their e-mail signature
to exploit the Internet's archiving capability. If I e-mail you my public
key, you should not pay attention to the fingerprint in the signature of
that e-mail. However, you can go to dejanews.com, or the debian mailing
list archives, or your own "saved mail" folder, and notice that every
single message from me has the same GPG fingerprint, even the messages
that are months or years old. From that, you can develop a degree of
PS: Don't bother looking for the GPG fingerprint, I don't bother with GPG
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign | Wade Richards --- email@example.com
X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE.
/ \ - NO Word docs in e-mail | See http://www.cauce.org/ for details.