On Wed, Aug 02, 2006 at 02:54:55PM -0600, Mike Bougie wrote: > is it he fingerprint or the key id that is supposed to be handed out? i've > been giving my Key id...
You naughty boy!!! ;-) It is best to hand out the fingerprint. The reason being is that the key ID can be duplicated, either accidently (as more people generate keys) or deliberately by someone attacking the system (not that easily). The fingerprint provides a method of confirming that the key that I down load is the one it should be, ie. the one that you uploaded. So we have: 1) You give me ID and fingerprint -> I can trust I can download the 'real' key later. 2) I confirm Photo ID -> you are really (or have the same name) as the one on the key. 3) I sign the download key, and upload (or return to you if you'd prefer) -> I vouche that this is the key for you/your email. [Note: I am only confirming that this is your key, I might still think that you are a low down stinking rat....] 4) Other people who trust me/my key, can now trust your key - even though they've never met you. So this is how the web of trust expands..... also later when you discover that I am causally signing anything without checking you can mark me as don't trust, and this will automatically ripple down your (and only yours) trust database removing me from this trust path. also also if I later discover that you're an imposter I can revoke my signature on your key and upload it to a key server. When someone mergers the key, these changes will propogate to their keyring. Short story is that fingerprints are prefered. Simon. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
