Purpose of fingerprint posting

To: mutt-users@xxxxxxxx
Subject: Purpose of fingerprint posting
From: Rob Reid <kepler@xxxxxxx>
Date: Fri, 24 Oct 2003 10:37:15 -0700
In-reply-to: <20031024162244.GJ2965@xxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-users-request@mutt.org?body=unsubscribe>
Mail-followup-to: mutt-users@xxxxxxxx
References: <20031021054009.GH14755@xxxxxxxxxxxxxxx> <20031024162244.GJ2965@xxxxxxxxxxxxxxxx>
Sender: owner-mutt-users@xxxxxxxx
User-agent: Mutt/1.5.4i

At 9:22 AM PDT on October 24 Christoph Berg sent off:
> <jacob@xxxxxxxxxxxxxxx>, <20031021054009.GH14755@xxxxxxxxxxxxxxx>:

Sigh.  Not only is your attribution too long, it's not even line wrapped.

> > actually, i did have a few questions.  i
> > have seen people including links to there pubkey in headers (which i am
> > attempting to do) and i have also seen people just post their key num (i
> > think that is what it is) or fingerprint in their sig (like i did below).
> > why is this exactly?
> 
> There are two reasons for doing so: First, to enable other people to get
> your key.
<snip>...

> As gpg can automatically download keys from keyservers, this doesn't make
> that much sense

Back at the dawn of time there was this program called pgp, which could not
automatically fetch keys.  Inertia is very powerful, and I need to update my
headers myself.

> Second, people could try to "sign" the message by including the
> fingerprint (which is -in contrast to the keyid- believed to be secure).
> But that's nonsense, as the message is already gpg-signed, and just
> including your fingerprint won't convince me at all that the key
> actually belongs to the person you are claiming to be.

You're looking at it the wrong way.  There are different kinds of identity. A
signature verified through the web of trust tells you that someone in your
web of trust presumably checked gov't I.D. of the author.  That's fine if
you're a bouncer at a bar or a border guard, but

1. doesn't work so well for pseudonyms, at least when the author is unwilling
   to let anyone in your web of trust tie the pseudonym to his or her birth
   name. 
2. is only as good as gov't I.D..  There's a whole industry for faking it.

I'm overgeneralizing a bit, but my experience with key parties is a bunch of
mostly strangers looking at each other's driver's licenses or passports.

Another kind of identity is one established in an online forum, such as this
one.  It is more (admittedly not very much in this case) relevant for you to
know that this message is signed with the same key that is advertised in
messages from "the post.el guy" than from some one whose real name is Robert
Reid.  And trust me, there are lots of those.  

Putting a key's fingerprint in the header of every message is a way to
establish support from the message for the key, not to draw support for the
message from the key.

Attachment: pgpETCh0EX760.pgp
Description: PGP signature

References:
- i think my gpg is setup correctly..
  - From: [jacob]
- Re: i think my gpg is setup correctly..
  - From: Christoph Berg

Prev by Date: Re: Forgotten attachment checker
Next by Date: Re: Background mail composition
Previous by thread: Re: i think my gpg is setup correctly..
Next by thread: only keep last week's mail
Index(es):
- Date
- Thread