[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG fingerprints

Wade Richards <wrichard@direct.ca> writes:

> >            A five minute explanation of the principle of a
> >man-in-the-middle attack, followed by a swift bat upside the head with a
> >copy of "Applied Cryptography" seemed to do the trick, and he sheepishly
> >removed it.
> I think that many people put their fingerprint in their e-mail signature
> to exploit the Internet's archiving capability. If I e-mail you my public
> key, you should not pay attention to the fingerprint in the signature of
> that e-mail. However, you can go to dejanews.com, or the debian mailing
> list archives, or your own "saved mail" folder, and notice that every
> single message from me has the same GPG fingerprint, even the messages
> that are months or years old. From that, you can develop a degree of
> trust.

Yes. A zero-trust sense of trust.

The whole point of having a fingerprint is to be able to compare it out of
band - eg you send me your public key, I phone you back and you have to dig
out the fingerprint which I compare from the public key, which is totally
defeated if someone else can dig it out of deja/google!

If you want to develop a sense of trust, then the most trust you can have
is that `this poster' is the same as `that poster', because their messages
both validate against the same key ID (*not* fingerprint).

Unless I'm well mistaken, of course... But I'd never trust a key whose
fingerprint had turned up in public before.

It's enough that I can see the morning      |piglet@stirfried.vegetable.org.uk
In miracles much more than I can say        |http://spodzone.org.uk/
It's enough to keep me still believing      |
In drifting hearts so far away              |

Reply to: