[KLUG Members] Re: GPG/PGP

[Phillip Hofmeister]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 Jun 2004 at 04:57:14PM -0400, bill wrote:
> It appears you sent me your public key and fingerprint below (which
> match), so simply confirming that should be good.  

NO!

Email is an un-trusted media.  Someone could have swapped keys while the
email was in transit (un-likely though it is...) and regenerated the
fingerprint to match the one they swapped.

Not to mention, you don't know he even sent the message, all email
headers (including from and list-based headers) can easily be forged.

You should ALWAYS verify the fingerprint over a TRUSTED medium (I would
consider phone acceptable, but In-Person is always ideal).

In order to sign a key you should verify three things:

1. The person whose name is on the key is really the owner (Validate the
key's fingerprint with them in-person).

2. The person is who they claim to be (Unless you know the person, you
check their driver's license or some other form of ID).

3. The email addresses on the user IDs all belong to the person/key
(this can usually be verified by sending an encrypted challenge to each
email address and then asking them to decrypt the message and return
it).


I hope this helps clarify why just signing the key when someone emails
it to you is a bad idea.

- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Key available at http://www.zionlth.org/~plhofmei/key.asc

iD8DBQFA2KQgS3Jybf3L5MQRAtVWAJ4iRtgoSrZsOnF5FdKYaPMEZI9sZACgi0os
LNyMR5fBU15lWl/DQaM2lqk=
=0fKt
-----END PGP SIGNATURE-----