How do I verify a key, or a fingerprint?

For safety, verify keys in at least two ways.

The most common way is when your contact appears to have successfully read a message you encrypted to them, but you need at least one more verification to be safe.

Ask the contact to provide their public key or its fingerprint through a channel other than email. The key or fingerprint must match your own copy. Compare fingerprints as described below.

Best is face to face. Other examples are for them to publish their key's fingerprint on a public site or service, or provide it by phone, SMS (if encrypted), or snail mail.

If you are verifying by hand, the longest version of the fingerprint is best. You don't have to verify the whole key by hand. A fingerprint is a really good summary of a key. If you verify the key's fingerprint, you have verified the key.

If you got a public key from a web site, it doesn't help much to verify using a fingerprint from the same web site. An attacker can spoof the web site and provide a matching fake fingerprint.

To compare a fingerprint using GoodCrypto:

1. Browse to your GoodCrypto server website.
2. Click on the Verify fingerprint; if the button is not on the screen, then click the Mail menu
3. Type in the email address and click the Verify button.
4. A fingerprint and a key summary are the same thing. Compare the Key summary with the other person's Key summary. Ignore spaces and whether a character is upper or lower case. Otherwise they must match.
5. If they don't match, do NOT use that key to communicate.
6. If the fingerprint is not flagged as verified and you have verified it, then you should flag the fingerprint as verified in the database

If the other person is also using GoodCrypto Mail, then they should follow this same procedure. Otherwise, they must use their encryption software program to get the key summary, known as the fingerprint in most encryption software, for the matching email address.