Re: GPG fingerprints

To: debian-security@lists.debian.org
Subject: Re: GPG fingerprints
From: Hubert Chan <hackerhue@geek.com>
Date: 17 Sep 2001 12:12:51 -0400
Message-id: <[🔎] 878zfd6bjw.fsf@hackerhue.ddts.net>
In-reply-to: <[🔎] E15j0KT-0001mi-00@coffee.dyndns.org>
References: <[🔎] E15j0KT-0001mi-00@coffee.dyndns.org>

>>>>> "Wade" == Wade Richards <wrichard@direct.ca> writes:

Wade> I think that many people put their fingerprint in their e-mail
Wade> signature to exploit the Internet's archiving capability.  If I
Wade> e-mail you my public key, you should not pay attention to the
Wade> fingerprint in the signature of that e-mail.  However, you can go
Wade> to dejanews.com, or the debian mailing list archives, or your own
Wade> "saved mail" folder, and notice that every single message from me
Wade> has the same GPG fingerprint, even the messages that are months or
Wade> years old.  From that, you can develop a degree of trust.

I think the key (no pun intended) is to use multiple channels.  My
public key is available on a public keyserver.  My fingerprints are
pasted to all my mails which go to almost all mailing lists, and to all
my newsgroup postings (and these, as you mentioned are available via
http).

So if someone wants to spoof my key, they would have to either
- compromise groups.google.com, wwwkeys.pgp.net, lists.debian.org,
  various e-mail servers, etc
- be very close to the person trying to get my key, so that they would
  be able to spoof traffic from these
or
- be very close to me and modify my outgoing messages and spoof network
  traffic when I try to verify that the keys/fingerprints have been sent
  correctly (which is probably pretty hard, since I have multiple
  network access points)

On the other hand, if you send both fingerprint and gpg key via e-mail,
there's just one service that needs to be attacked.

Mind you, the best policy is to only fully trust keys that you can
verify *in person*, or that can be verified via the web of trust, if you
need to send/sign anything critical.

(Speaking of which, is there anyone in the Waterloo (Canada) region who
wants to sign my key?  My key currently has 0 signatures (other than my
self-sig).)

-- 
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Please encrypt *all* e-mail to me.

Reply to:

References:
- Re: GPG fingerprints
  - From: Wade Richards <wrichard@direct.ca>

Prev by Date: Re: GPG fingerprints
Next by Date: Re: GPG fingerprints
Previous by thread: Re: GPG fingerprints
Next by thread: Re: GPG fingerprints
Index(es):
- Date
- Thread