[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why Fingerprints and Key-ID's



At 09:42 PM 8/2/96 -0700, Paul Wittry <[email protected]> wrote:
>I understand PGP Open-Signed messages and why they are used. I've 
>read all the FAQ's. I can't seem to figure out why some of us put our 
>Fingerprints and/or Key-ID's at the end of messages.

Even with the PGP Web Of Trust, one of the difficult problems
in cryptography is how to do key distribution - if you want to
talk to Bob, how do you know you've really got _Bob's_ key
instead of a key some imposter Eve _said_ was Bob's key?
Similarly, if you receive a message saying "Bank X will pay
you $Y, signed Bank X Small-Transactions-Teller", 
how do you know it really came from them and wasn't signed
by some fake key that Carol genned up?  
One way is to get some well-known person to sign your key,
or a chain of people which get you to a sig for the key you want.

Another way is to give out your key, often.  That way someone
who gets email from "you", signed by "your" key, can compare
the key with previous keys you've stuck on your email and
business cards, and scream if there's a mismatch.
For this, remember to use the full key fingerprint, not just
the short KeyID which can be duplicated arbitrarily.
This is especially useful for pseudonymous people like
Black Unicorn.

Another reason is just to remind people you've got a PGP key
and make it easier to look up 0x12345678 correctly than
"Joe Anonymous" or "smith".
#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	Defuse Authority!