At 9:22 AM PDT on October 24 Christoph Berg sent off: > <jacob@xxxxxxxxxxxxxxx>, <20031021054009.GH14755@xxxxxxxxxxxxxxx>: Sigh. Not only is your attribution too long, it's not even line wrapped. > > actually, i did have a few questions. i > > have seen people including links to there pubkey in headers (which i am > > attempting to do) and i have also seen people just post their key num (i > > think that is what it is) or fingerprint in their sig (like i did below). > > why is this exactly? > > There are two reasons for doing so: First, to enable other people to get > your key. <snip>... > As gpg can automatically download keys from keyservers, this doesn't make > that much sense Back at the dawn of time there was this program called pgp, which could not automatically fetch keys. Inertia is very powerful, and I need to update my headers myself. > Second, people could try to "sign" the message by including the > fingerprint (which is -in contrast to the keyid- believed to be secure). > But that's nonsense, as the message is already gpg-signed, and just > including your fingerprint won't convince me at all that the key > actually belongs to the person you are claiming to be. You're looking at it the wrong way. There are different kinds of identity. A signature verified through the web of trust tells you that someone in your web of trust presumably checked gov't I.D. of the author. That's fine if you're a bouncer at a bar or a border guard, but 1. doesn't work so well for pseudonyms, at least when the author is unwilling to let anyone in your web of trust tie the pseudonym to his or her birth name. 2. is only as good as gov't I.D.. There's a whole industry for faking it. I'm overgeneralizing a bit, but my experience with key parties is a bunch of mostly strangers looking at each other's driver's licenses or passports. Another kind of identity is one established in an online forum, such as this one. It is more (admittedly not very much in this case) relevant for you to know that this message is signed with the same key that is advertised in messages from "the post.el guy" than from some one whose real name is Robert Reid. And trust me, there are lots of those. Putting a key's fingerprint in the header of every message is a way to establish support from the message for the key, not to draw support for the message from the key.
Attachment:
pgpETCh0EX760.pgp
Description: PGP signature