[clug-talk] GPG Fingerprints and Keys

simon simon at mungewell.org
Tue May 2 14:59:28 PDT 2006


On Tue, May 02, 2006 at 03:46:30PM -0600, Mitchell Brown wrote:
> I don't understand - is it possible to sign a key with just a fingerprint?
> Like, if I'm not on a keyserver then its not much good is it?
> 

Hi again,
The purpose of the fingerprint is to confirm the validity of the key you
have download/received via email/paper copy/morse code/carrier pidgeon.

As I have physically met you, confirmed your identity and been handed a
peice of paper with the fingerprint written on it I can be sure that
it (the fingerprint) is real.

When I get the key, I import it and get gpg to show me the fingerprint 
(this acts like a check sum). If it matches then I can feel sure that the
key belongs to you, even though I did not get the key directly from you.

So when I sign the key I am happy to vouch for your identity - by signing all
I am saying is that 'I confirm that this is xxx's public key', nothing more
than that (I might still think you are an untrustworthy person ;-).

Like I said we can act this out at the LUG as a demostration.

Simon.

PS. If you're having difficulty getting a key onto the public servers you
can use the web interface (wwwkeys.eu.pgp.net) or even the email
interface (pgp-public-keys at pgp.mit.edu).



More information about the clug-talk mailing list