[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP Fingerprint



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 11:44 AM 1/13/99 -0600, Adam Israel wrote:
>I've seen several people include their PGP Fingerprint in their .sig,
but I
>don't know why..  Can someone enlighten me?

Somer earlier PGP versions had design flaws that made it possible
to duplicate a fingerprint by creating another key of different length
from the original, but newer versions (I think 5.0) don't have this
problem.
However, the fingerprint + KeyID + key length works, and we'll
assume for the rest of the discussion that you're either using
the newer fingerprint format or fingerprint plus KeyID plus length.

But why do you include the fingerprint in your signature?
The reason for the fingerprint instead of the key is because
it's much shorter (unlike James Donald's Crypto Kong,
which uses much shorter ECC keys.)
The reason for distributing your key or fingerprint widely
is to increase the chance that if somebody's forging your keys,
that somebody who has your fingerprint will notice it.
It also means that if somebody wants to send an encrypted reply
to a message you've posted publicly or sent privately,
they can verify that they have the correct encryption key.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
Comment: You can get PGP outside the US at www.pgpi.com

iQA/AwUBNp+J5pfhBtrQLbiwEQLCkwCfQoBI6GqvX/qoGhM8VIXXYZHw1nEAoIeH
3NazTQPGe64sGvCLyUa090NU
=xQCU
-----END PGP SIGNATURE-----

				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639