RE: Question about key fingerprint uses
> Original Message > Subject: Re: Question about key fingerprint uses > From: Peter Lebbing > Date: Fri, April 27, 2012 5:40 am > To: Anthony Papillion > > You're turning it around :). Rather than verify you are speaking to John using > his fingerprint, you are verifying the fingerprint by speaking to John. > > You should already be sure the person on the line is John Smith. John Smith > then > tells you his fingerprint such that you can be sure the key you're looking at > actually belongs to John Smith, and hasn't been exchanged by a man in the > middle. Aha! That makes it crystal clear! Indeed, I had turned it around. So then that's why key signing parties rely on verifiable ID. The user verifies his ID so you can be sure the fingerprint he's providing is his actual fingerprint. Makes perfect sense now. Anthony ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about key fingerprint uses
On 26/04/12 13:48, Anthony Papillion wrote: > and that will print out his key fingerprint. This would work for anyone > else with John Smith's key as well. So let's say I'm on the phone with > someone I think is John Smith but wanted to verify using his key > fingerprint. How would asking him to tell it to me mean anything since > ANYONE can get his fingerprint as long as they have his key? You're turning it around :). Rather than verify you are speaking to John using his fingerprint, you are verifying the fingerprint by speaking to John. You should already be sure the person on the line is John Smith. John Smith then tells you his fingerprint such that you can be sure the key you're looking at actually belongs to John Smith, and hasn't been exchanged by a man in the middle. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Question about key fingerprint uses
So I was browsing the documentation this morning when I came across this documentation for the --fingerprint flag: "You want to see "Fingerprints" to ensure that somebody is really the person they claim (like in a telephone call). This command will result in a list of relatively small numbers." I'm not really sure how this would work in real life. For example, if I have John Smiths key I can type gpg --fingerprint "John Smith" and that will print out his key fingerprint. This would work for anyone else with John Smith's key as well. So let's say I'm on the phone with someone I think is John Smith but wanted to verify using his key fingerprint. How would asking him to tell it to me mean anything since ANYONE can get his fingerprint as long as they have his key? Thanks! Anthony ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
