On 01/05/2013 06:04 PM, Werner Koch wrote:
On Sat, 5 Jan 2013 20:38, iang(_at_)iang(_dot_)org said:
Fingerprints aren't really for the wire, and if you use them for the
wire, you're exercising your right to develop your own security model
and threat model. For my money - don't do that.
The fingerprint is used for an revocation key (184.108.40.206). However, your
policy may simply disallow the use of a revocation key if this is a
threat to you.
iirc, there was a rough consensus within this working group that this
was probably a mistake in RFC 4880, and any future revision of the draft
should place the full key material into the revocation key subpacket
instead of the key's fingerprint.
Description: OpenPGP digital signature
openpgp mailing list