At 09:42 PM 8/2/96 -0700, Paul Wittry <ppw3@everett.com> wrote:
I understand PGP Open-Signed messages and why they are used. I've read all the FAQ's. I can't seem to figure out why some of us put our Fingerprints and/or Key-ID's at the end of messages.
Even with the PGP Web Of Trust, one of the difficult problems in cryptography is how to do key distribution - if you want to talk to Bob, how do you know you've really got _Bob's_ key instead of a key some imposter Eve _said_ was Bob's key? Similarly, if you receive a message saying "Bank X will pay you $Y, signed Bank X Small-Transactions-Teller", how do you know it really came from them and wasn't signed by some fake key that Carol genned up? One way is to get some well-known person to sign your key, or a chain of people which get you to a sig for the key you want. Another way is to give out your key, often. That way someone who gets email from "you", signed by "your" key, can compare the key with previous keys you've stuck on your email and business cards, and scream if there's a mismatch. For this, remember to use the full key fingerprint, not just the short KeyID which can be duplicated arbitrarily. This is especially useful for pseudonymous people like Black Unicorn. Another reason is just to remind people you've got a PGP key and make it easier to look up 0x12345678 correctly than "Joe Anonymous" or "smith". # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # <A HREF="http://idiom.com/~wcs"> Defuse Authority!