Including public key

MFPA expires2011 at ymail.com
Sat Jul 30 02:03:04 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 28 July 2011 at 4:22:52 PM, in
<mid:4E317ECC.1060107 at freenet.edmonton.ab.ca>, Jay Litwyn wrote:


> Do not sign my photo until you see me in person,

OK, fair enough. If the key has WoT signatures from people I trust to
have such a policy. But in the case of the OP's key with only
self-signatures, the inclusion of a photo would do nothing to reassure
me.



> although it would be tricky to fake photo-id production
> on skype. Photo-id doesn't make very good single
> frames, but change the angle on television and those
> chrome things flicker and move...

OK, use a TV projector and point your webcam at the screen.



>> A phone number would only help if the person ringing
>> it knew you well enough to recognise your voice on the
>> phone. Even then, somebody  could record your voice
>> and use it create an answerphone message...

> That is what a signed mp3 in my comment is about,

Signed with the key, and somebody who knows you could recognise your
voice if they play the file. Arguably, "Mallory" could make recordings
of your voice and use them to create such a file and sign it with
their fake key.



> and
> just in case you do not follow links in message source
> [comments] very often...

Like almost never. (-;


> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
> (I will never call it a thumbprint or a fingerprint; key hash)

Why not? Using the standard term of "Fingerprint" rather than
"Keyprint_Biometric" might lead more people to understand what the
file was likely to be.


> Additionally, you can do a reverse lookup on my phone
> number

I could possibly pay somebody with law enforcement connections to do
that.



> and at least see if I am lying about my given
> and family names, according to a corporation that my
> library used to verify my identity.

Assuming the phone is billed to you personally, and that you gave your
real name when setting up the service.

I once had a library check on my phone number, by getting out the
phone book and finding my surname and address and comparing the number
listed to the one I gave them. (That was when I was in my teens and
lived with my parents, so the initial would not have matched my first
name.)



> My bottom line is that photos and phone numbers do not
> hurt.

Depends on the user's privacy requirements and threat model.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

He's an environmentalist - his arguments are 100% recycled
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJOM0o/nhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pu50D/j7h
o87GES62xpCEYIwqyIMQiiANBXTJg3CLJgwGE6isOxy4mTXMgKqU3l1iESjbe+nk
ChsCse1Rs2QaNHOR2lJLzNotfhNRA88Cc5xgM8CK5eh8xSCwLv4012vRctjIHRGm
96EW2xxy/s09rcN+17nzNHbqshbDt05BZEvX5r8S
=4Ad6
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list