-----BEGIN PGP SIGNED MESSAGE----- 0xa11a8a18bf6dbe8362926e9458a3616d/0x4d162bbe1 a.k.a Amad3us wrote:
I'm not sure a timestamp matters that much for "authenticating" your key. After all, you don't own "Amad3us", you own key 0x4D162BBE1.
Yes. Except for minor nit: 0x4D162BBE1 is susceptible to a 0xdeadbeef attack, anyone can generate another key with that keyID. Even the fingerprint is spoofable. But the combination is truly hard to spoof, and this I do own: 0xa11a8a18bf6dbe8362926e9458a3616d/0x4d162bbe1 (fingerprint/keyID).
Uhhh... that's what I meant to say. (Although I can't think of a circumstance where the fingerprint matters if the reputation is bound to the key only.) While we're on the subject, why are key IDs used anyway? People don't really use them for anything. Software might as well use the complete description of the key internally. For that matter, I'm not sure the the e-mail address and user name are good things to associate with the key. The e-mail address changes all the time. The user name should be assigned by you as part of the authentication procedure, not by the person offering the key. Monty Cantsin Editor in Chief Smile Magazine http://www.neoism.org/squares/smile_index.html http://www.neoism.org/squares/cantsin_10.htm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBNFzktJaWtjSmRH/5AQHm8wf+Lkw/iHSwn/zEpttQws49R3pmDAjtSkrz Q8+6qI09JgfY4xnlljJkYMoeHpij9TEZ59SlBl5exSzCH6dQoStJXPACxm5UUQil J9YnDd3q4ehHMH9wQd8eXYpDNdRxqUGwqMZR8+eRlo1X2yGDvOY40+Ayd0/jnX8X AEhZ8io669eQ3+55n/25LkGT7Zc26zRLsiU+07pBWRIj2cwV7BiQF2gZqx9owf2E lrhKRJ7b7iDT7/Q+thrifzBHq1mUnugPlUXpYqv4SKPDzoK8zpGODIzLntv4M91b AllRO5ytCoSu1IFCTKJ4D3oT4OsftrjHy7MYNcsLNQDoKTbp7JewNA== =m1a1 -----END PGP SIGNATURE-----