From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
Date: Wed, 31 Aug 94 14:53:45 PDT
To: cactus@bb.com
Subject: Re: including key fingerprints
Message-ID: <9408312152.AA00997@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text/plain


One of the better uses for key fingerprints is for inclusion in signature
files and other places that a key itself is too bulky.  By widespread
dissemination of the fingerprint, the chances of a bogus key being
undetected are decreased, since there ar more channels for the fingerprint
to get to recipients, and more channels for the owner of a key to see
any bogus fingerprints out on the net.  It's also easier to validate
keys with someone you don't know very well, since you've got more chances
to see what the key for Joe X. is before meeting a person who tells you
he's Joe X. and he'd like to have you sign his key, fingerprint 123456ABCDFEFG.
On the other hand, if people widely start checking fingerprints they see,
there *is* some opportunity for the Bad Guys to create a distrust and
disinformation campaign by spreading false fingerprints and false keys.
(Now that Tommy the Tourist's NSA-bait is getting more sophisticated,
I'm almost surprised it's not including random PGP keys or fingerprints,
whether real ones or bogus ones to prod people into checking signatures...)

			Bill