Wade Richards <[EMAIL PROTECTED]> writes: > > A five minute explanation of the principle of a > >man-in-the-middle attack, followed by a swift bat upside the head with a > >copy of "Applied Cryptography" seemed to do the trick, and he sheepishly > >removed it. > > I think that many people put their fingerprint in their e-mail signature > to exploit the Internet's archiving capability. If I e-mail you my public > key, you should not pay attention to the fingerprint in the signature of > that e-mail. However, you can go to dejanews.com, or the debian mailing > list archives, or your own "saved mail" folder, and notice that every > single message from me has the same GPG fingerprint, even the messages > that are months or years old. From that, you can develop a degree of > trust.
Yes. A zero-trust sense of trust. The whole point of having a fingerprint is to be able to compare it out of band - eg you send me your public key, I phone you back and you have to dig out the fingerprint which I compare from the public key, which is totally defeated if someone else can dig it out of deja/google! If you want to develop a sense of trust, then the most trust you can have is that `this poster' is the same as `that poster', because their messages both validate against the same key ID (*not* fingerprint). Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. ~Tim -- It's enough that I can see the morning |[EMAIL PROTECTED] In miracles much more than I can say |http://spodzone.org.uk/ It's enough to keep me still believing | In drifting hearts so far away |
