[NTLUG:Discuss] RSA Key Fingerprints
brian@pongonova.net
brian at pongonova.net
Fri Jun 14 14:19:59 CDT 2002
On Fri, Jun 14, 2002 at 12:43:03PM -0500, Val Harris wrote:
> My question is: As admin for the machine named foo, how do I get it to
> print it's RSA
> key fingerprint for me to compare and verify? In the future, I may want
> to send this
> fingerprint to people before they connect to my machine so that they
> know they are
> connected to foo.bar.com, rather than to sniper.badguys.com trying to
> impersonate me.
How will the good guys know it was really you who sent the fingerprint, and not the
badguys?
If you're really serious about preventing a MITM attack, you'll want to digitally
sign foo's fingerprint with your own key. Of course, this is presuming you have
securely provided *that* key's fingerprint to the good guys! Otherwise, how will
the good guys know that the digital signature is really yours?
Or, you could just phone somebody you know (and who knows you), exchange
fingerprints, and be done with it.
Just some food for thought. I didn't want anyone hear believing that a fingerprint
is, in and of itself, a valid security measure.
--Brian
More information about the Discuss
mailing list