Topic: More specific verification

I've noticed that the verification solely provides you with a name and e-mail address, however it would take about 10 seconds to spoof just this (attacker could just as easily make a new key with the same name and email, alter message, and re-verify with that.) I think you need to add the fingerprint data to make sure that the verification is authentic, it's much more difficult to spoof that.

Re: More specific verification

I don't unterstand very well....

Re: More specific verification

Simply when verifying, why not provide the key fingerprint (mine's A3855D9B) in addition to simply the name and address to prevent key spoofing?

Re: More specific verification

Ok.

Re: More specific verification

It might be an OK idea to show the ID, but creaturex is wrong to say that it could be spoofed. The way GPG works is that you have to import public keys into your keyring. It relies on you only importing keys that you trust, showing the ID doesn't help at all in this.

Re: More specific verification

Apart from that you should NOT import keys with Firefox, but through your keyring manager, whatever that is. This process should remain totally outside Firefox.

Re: More specific verification

@melianor : Why not ?