El lun, 17 de sep de 2001, a las 20:25 +0200, Martin decía que: > also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100): > > Unless I'm well mistaken, of course... But I'd never trust a key whose > > fingerprint had turned up in public before. > > that's a little ridiculous, isn't it, given that i can use my gpg to > view the fingerprint of your public key, which is, uh, public. you can > safely post your fingerprint everywhere, but you have to do > fingerprint verification - i have to read you mine - over the phone That's right, i use to show my fingerprint on my emails, of course if anyone want to trust my public key, he have to contact me in a more secure way than looking the signature of a single email. Looking lots of emails from me, some new, some old, could be a good way, a telephone call can be OK if you know my voice, and a mix of these things would be OK if you don't know me at all. Key-sharing in public events (like Linux conventions) it's also a good way of verifying public keys, you will meet the person, even you can ask him for his ID (car driving license or something like this), and also is a good way of making new friends, and talk a lot about linux ;-). Personal contact is (hopefully) the only real way to verify public keys, but the cost of been a "man in the meddle" fooling all the Internet, changing web logs of mail lists and database of every web crawler is so high that for the most common cases it's is sufficient with publishing your fingerprint on every email and your telephone number. Also use the common sense for this things, it is the best way of been real sure of the integrity of someone's public key. -- <Yoda> use the source, Luke! Alberto Cortés Martín | Ing. de Telecomunicaciones email: alcortes@coitt.es | Universidad Carlos III tel: +34 91 450 09 85 | Madrid cel: 600 42 77 57 | Spain 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242
Attachment:
pgpgU3uFXGYsr.pgp
Description: PGP signature