[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cute.
-----BEGIN PGP SIGNED MESSAGE-----
0xa11a8a18bf6dbe8362926e9458a3616d/0x4d162bbe1 a.k.a Amad3us wrote:
>> I'm not sure a timestamp matters that much for "authenticating" your
>> key. After all, you don't own "Amad3us", you own key 0x4D162BBE1.
>
>Yes. Except for minor nit: 0x4D162BBE1 is susceptible to a
>0xdeadbeef attack, anyone can generate another key with that keyID.
>Even the fingerprint is spoofable. But the combination is truly hard
>to spoof, and this I do own:
>0xa11a8a18bf6dbe8362926e9458a3616d/0x4d162bbe1 (fingerprint/keyID).
Uhhh... that's what I meant to say. (Although I can't think of a
circumstance where the fingerprint matters if the reputation is bound
to the key only.)
While we're on the subject, why are key IDs used anyway? People don't
really use them for anything. Software might as well use the complete
description of the key internally.
For that matter, I'm not sure the the e-mail address and user name are
good things to associate with the key. The e-mail address changes all
the time. The user name should be assigned by you as part of the
authentication procedure, not by the person offering the key.
Monty Cantsin
Editor in Chief
Smile Magazine
http://www.neoism.org/squares/smile_index.html
http://www.neoism.org/squares/cantsin_10.htm
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBNFzktJaWtjSmRH/5AQHm8wf+Lkw/iHSwn/zEpttQws49R3pmDAjtSkrz
Q8+6qI09JgfY4xnlljJkYMoeHpij9TEZ59SlBl5exSzCH6dQoStJXPACxm5UUQil
J9YnDd3q4ehHMH9wQd8eXYpDNdRxqUGwqMZR8+eRlo1X2yGDvOY40+Ayd0/jnX8X
AEhZ8io669eQ3+55n/25LkGT7Zc26zRLsiU+07pBWRIj2cwV7BiQF2gZqx9owf2E
lrhKRJ7b7iDT7/Q+thrifzBHq1mUnugPlUXpYqv4SKPDzoK8zpGODIzLntv4M91b
AllRO5ytCoSu1IFCTKJ4D3oT4OsftrjHy7MYNcsLNQDoKTbp7JewNA==
=m1a1
-----END PGP SIGNATURE-----