VERIFYING KEY FINGERPRINTS

Mark Swearingen
mark@ephesus.com

Created Wednesday 2000 January 26

After importing my public key(s) from my web page or from the key server, you should verify the unique key fingerprint.

If you and I correspond with each other by e-mail frequently, you will probably want to do the following:  (a) verify the key fingerprints with me over the telephone (in order to avoid a possible e-mail middleman attack);  (b) sign and certify my public key with an exportable signature, using your own private key, and assigning it a high level of "trust" or confidence on your keyring; and  (c) send my key with your new certifying signature back to the public key server (or e-mail it to me so that I may do so).  When verifying fingerprints over the telephone, I recommend that the person who owns the key should read the fingerprint, and the person who is verifying the key should sign the key with his exportable signature only if the fingerprints match his copy of the key.

If, on the other hand, you and I are only occasional correspondents, or if it would be prohibitively expensive or impractical to verify keys over the telephone, then you might, for the sake of convenience, consider it sufficient simply to verify the key fingerprints over the Internet from a different source than the one where you obtained the key.  If you obtained the key from the key server, verify the fingerprints against my web page.  If you imported the key from my web page, ask me to send you the fingerprints by e-mail (preferably encrypted to your own public key).  To increase your confidence that our e-mail is not being intercepted by a middleman, you could ask me to send you, along with the key fingerprints, some information that only you and I would know (but which is not valuable information such as a Social Security number).  For example, you could ask me what we talked about after church last Sunday, or when and where we last saw each other in person.  Keep in mind, however, that a clever hacker could still substitute his own key fingerprint in such an e-mail message.  Therefore, if you verify fingerprints in this way, you should sign the key only with a non-exportable signature and assign it a low or "marginal" level of trust.

Fortunately, this key fingerprint verification needs to be done only once for each new public key you obtain.  After that, you may confidently use that public key to correspond with its owner, knowing that your communications are secure.

Main areas:  Home | Family | Pictures | Orthodox | Encryption
Encryption:  Intro | Echelon | 1-2-3 | Download | Passphrase | Retrieve | Keys | Verify | Links