At 10:34 PM 10/28/2003 -0500, Michael Young wrote:
[...]
Also, note that the specification already provides a "signer userId"
subpacket that could be used to nearly the same effect as a "signer
primary fingerprint" subpacket.
I think that would prevent the version of this where the attacker tries to
convince the verifier that the signed message came from his *name*.
It wouldn't prevent the version where the attacker tries to convince the
verifier that the signed message came from his *key*, which is what using a
key fingerprint adds.
Trevor