validating other keys on your public keyring

Shawn K. Quinn skquinn@speakeasy.net
Thu Oct 24 17:26:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday October 24 2002 00:52, Tuyen DINH wrote:
> Hi,
>
> According to "The GNU Privacy Handbook" :
> =AB a correspondent's key is validated by personally checking his key's
> fingerprint =BB  (http://www.gnupg.org/gph/en/manual.html#AEN335)
>
>  * is it equivalent or less secure to personally check the person's
>    keyid ?

The fingerprint is only the lowest-order 32 bits of one of the primes=20
(RSA) or last 32 bits of the fingerprint (DSA). So for the highest=20
level of security you need to check the entire fingerprint.

>  * and why do most of people send their fingerprint in their message,
>    since the fingerprint is the thing you want to check personally ?

That's something you'd have to ask them, but my theory is if they have=20
100 messages with the right fingerprint in it, it makes it that much=20
harder for an attacker to pass off a bogus key as valid.

- --=20
Shawn K. Quinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9uBC1QVXDBVmaIp0RAr6lAJ0UnBzr0PLwNakObWHurQImJvTVaQCfXf7f
XvmwFV8tfe0IWIPwUYHXfTs=3D
=3DJooo
-----END PGP SIGNATURE-----