[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG fingerprints



El lun, 17 de sep de 2001, a las 20:25 +0200,
 Martin decía que:

> also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100):
> > Unless I'm well mistaken, of course... But I'd never trust a key whose
> > fingerprint had turned up in public before.
> 
> that's a little ridiculous, isn't it, given that i can use my gpg to
> view the fingerprint of your public key, which is, uh, public. you can
> safely post your fingerprint everywhere, but you have to do
> fingerprint verification - i have to read you mine - over the phone

  That's right, i use to show my fingerprint on my emails, of course
if anyone want to trust my public key, he have to contact me in
a more secure way than looking the signature of a single email.

  Looking lots of emails from me, some new, some old, could be a good way,
a telephone call can be OK if you know my voice, and a mix of these things
would be OK if you don't know me at all.

  Key-sharing in public events (like Linux conventions) it's also a
good way of verifying public keys, you will meet the person, even you
can ask him for his ID (car driving license or something like this),
and also is a good way of making new friends, and talk a lot about
linux ;-).

  Personal contact is (hopefully) the only real way to verify public
keys, but the cost of been a "man in the meddle" fooling all the
Internet, changing web logs of mail lists and database of every web
crawler is so high that for the most common cases it's is sufficient
with publishing your fingerprint on every email and your telephone
number.

	Also use the common sense for this things, it is the best way
of been real sure of the integrity of someone's public key.
  
-- 
<Yoda> use the source, Luke!

Alberto Cortés Martín     | Ing. de Telecomunicaciones
email: alcortes@coitt.es  | Universidad Carlos III
tel: +34 91 450 09 85     | Madrid
cel: 600 42 77 57         | Spain
  1A8B 0FE6 2094 8E48 38A2  7785 03CD 07CD 6CA4 E242

Attachment: pgpYwesCmrhVH.pgp
Description: PGP signature


Reply to: