-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/06/12 14:59, Sam Smith wrote: > > Okay. So please let me know if I understand correctly what I am supposed to > do (or what you guys are recommending be done) with key signing: > > I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that > signed the program. I download that KeyID from a keyserver. I now ask people > on this list to verify the fingerprint of the key I got from the keyserver as > a legit key. (So far this behavior is okay, right)? Since people on this list > verified the fingerprint, I have enough confidence to verify the GnuPG > program with the key. BUT I do not have enough confidence to mark the key > (the one I got from the keyserver) as Trusted or to Sign the key because I > have not met with Werner Koch in person and seen credentials. > > Summation of Proper Key Signing Behavior: > > 1.) I should NOT sign a key as trusted unless I have actually met with the > person and seen his/her credentials. I can sign if I KNOW the person and > verify the fingerprint with that person. But even these situations run the > risk of dealing with a "secret agent." > > Applying this rule, since I have not met Werner Koch, I should not sign his > key. Verifying the fingerprint on a downloaded key is enough to use the key > to verify software, but it's not enough to actually trust and sign the key. > Hence using it to verify runs some risk because the key is not totally > trustworthy. > > Every time I use Werner Koch's key to verify a GnuPG program, I will get the > warning that I am verifying with an untrusted key. You guys all get this > warning because all of you are also not signing keys (even if you've verified > the fingerprint with others) because you have not met with all the people > needed in order to sign all the keys you have. Right? You guys all get this > warning whenever you "gpg --verify", right? > > In short, I should always be seeing the notice that I have verified using an > untrusted key when using Werner Koch's key unless/until I actually meet him > and see credentials. The only time you guys don't see this notice when > verifying a key is when you use a key that you have actually met the signer > of face to face, right? > > > Do I understand correctly. Is this all accurate? With this behavior, would I > be doing Best Practices and what you guys all do? > > > Thanks for the instruction, guys. I appreciate the time and energy you guys > spent writing the emails to me. means a lot to me. > > >> Date: Sat, 9 Jun 2012 06:09:54 +0100 >> From: da...@gbenet.com >> To: smick...@hotmail.com >> CC: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> > On 08/06/12 22:41, Sam Smith wrote: >>>> >>>> Another thing is that downloading the key from that link you provided is >>>> no guarantee of safety in and of itself either because the page is not >>>> being hosted over SSL with confirmed identity information. So technically >>>> there's no guarantee I'm actually interacting with teh GnuPG.org website. >>>> >>>> >>>> >>>>> Date: Thu, 7 Jun 2012 05:23:43 +0100 >>>>> From: da...@gbenet.com >>>>> To: gnupg-users@gnupg.org >>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >>>>> >>>> On 07/06/12 00:15, Sam Smith wrote: >>>>>>> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm >>>>>>> trying to guard against. >>>>>>> >>>>>>> My efforts to verify the fingerprint are the best way to do this, >>>>>>> correct? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Date: Wed, 6 Jun 2012 21:54:01 +0200 >>>>>>>> From: pe...@digitalbrains.com >>>>>>>> To: gnupg-users@gnupg.org >>>>>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >>>>>>>> >>>>>>>> On 06/06/12 17:58, Mika Suomalainen wrote: >>>>>>>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>>>>>>>> Looks correct. >>>>>>>>> >>>>>>>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: >>>>>>>>> requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: >>>>>>>>> key >>>>>>>>> 4F25E3B6: public key "Werner Koch (dist sig)" imported >>>>>>>> >>>>>>>> I agree it appears he has the correct key. I did a local sig on it >>>>>>>> after what >>>>>>>> checking I seemed to be able to do without meeting people in person. >>>>>>>> >>>>>>>> But it's a bit unclear to me on what basis you decided it looked >>>>>>>> correct? Your >>>>>>>> mail suggests to me that you decided that based on the fact that the >>>>>>>> UID on >>>>>>>> that key is "Werner Koch (dist sig)". But that would be the very first >>>>>>>> thing a >>>>>>>> potential attacker would duplicate in his effort to fool our OP. Even >>>>>>>> if he's >>>>>>>> using MITM tricks to subvert his system, he can still post his >>>>>>>> personally >>>>>>>> generated key to the keyserver with this UID. >>>>>>>> >>>>>>>> Peter. >>>>>>>> >>>>>>>> PS: I briefly considered signing this message, because the attacker >>>>>>>> might MITM >>>>>>>> my message to the OP. Then I realised what good that signature would >>>>>>>> do :). >>>>>>>> >>>>>>>> -- >>>>>>>> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >>>>>>>> You can send me encrypted mail if you want some privacy. >>>>>>>> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Gnupg-users mailing list >>>>>>>> Gnupg-users@gnupg.org >>>>>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Gnupg-users mailing list >>>>>>> Gnupg-users@gnupg.org >>>>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>> >>>> Sam, >>>> >>>> You are a little confused - you ask ask "can some one verify the gnupg >>>> fingerprint for >>>> pubkey" and you use Verners key to verify gnupg. Then you worry about >>>> impersonation - now >>>> clearly Verner and gnupg have different keys. Or don't you know that? >>>> >>>> Clearly you failed to follow my link and clearly you failed to check the >>>> public key for >>>> gnupg. Now being a little confused try and get a clear question in your >>>> mind - is it >>>> Verner's key that you have such a passion to verify or gnupg? >>>> >>>> Verner's had about three keys two of which have expired - to the best of >>>> my knowledge he's >>>> a real person - he even maintains this list. You could always try >>>> encrypting an e-mail to >>>> his public key asking him if he's a real person. I'd suggest you not do >>>> the same for the >>>> public key of gnupg. >>>> >>>> People generate a private and a public key imaginary people don't do this >>>> - granted some one >>>> can set up a false ID and create a set of keys - but though they have >>>> created a false ID to >>>> do so they are nevertheless real people. >>>> >>>> If you are so concerned about Verner's key why not take a trip to Germany >>>> and arrange to >>>> meet him? You can't meet the gnupg (as its a bit of software) but you can >>>> verify it's >>>> running on your computer. >>>> >>>> All your keys are "untrusted." Everyone of them - apart from your own >>>> public key. They all >>>> remain so until you actually meet that person and verify that they are who >>>> they say they >>>> are. You carefully check their passport their driving licence. >>>> >>>> But gnupg has not got a passport or a driving license. The only way you >>>> can check if gnupg >>>> is real is to check if it's running on your computer gpg --version - this >>>> will tell you if >>>> you have the software installed. If it's installed and working correctly >>>> it must be real. >>>> >>>> What if that fails? Well you do the same thing gpg2 --version and hope >>>> that Verner does not >>>> pop up and say "Hello." >>>> >>>> David >>>> >>>> >>>>> >>>>> _______________________________________________ >>>>> Gnupg-users mailing list >>>>> Gnupg-users@gnupg.org >>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>> > Sam, > > You have to apply some logic - and some common sense. I have about 180 public > keys - all > apart from about 5 or 6 are untrusted. Now a lot of people have my public key > say 175 and > all those people have my public key marked as untrusted. > > The whole idea behind the web of trust is that you have met "real" people. On > the whole most > people are who they say they are - but with all systems you get people using > fake IDs. > > Now Werner Koch has a reality - he writes GPG4Win GNUpg and maintains this > list - but > because I've not met him (though I have exchanged e-mails with him) I have > not signed his key. > > Why? > > The whole principle underlining the web of trust is that you have met that > person in the > real world and to the best of your knowledge - they are who they say they are > and their > public key belongs to them. > > It is a principle of the whole system that you only sign people's keys. The > person comes > first - not the key. > > It's not the validity of keys but the validity of people. So in your every > day life you > accept that the train driver the bus driver the person behind the bar - your > wife and kids > are all living real and normal lives. Now, your wife and kids aare somewhat > different. You > married your wife and thus can trust she presented to you a real ID. You had > sexual > intercourse with this real person (your wife) and she as a result of that > intercourse > produced your kids. > > Your relationship to your wife and kids is special - you trust that they are > really real and > you believe it to be true. And why not? You wake up in the morning beside her > - you watch > your kids grow up. Now 20 years into your marriage you discover that your > wife's a secret > agent - Jane Brown - not the Mary Smith you thought you married - and that > were you thought > believed your kids sprung from your seed they were in fact from the milkman. > The reality - > the belief is she's still your wife and they are your kids - they have > behaved as such. > > > Most people are bound up with beliefs and behaviours. They interact with > others on a daily > basis sharing common values beliefs and behaviours. Under normal conditions > we don't ask > every one we meet for their passport driving license or DNA sequence. We > accept it as the > norm that people are real and valid - its the IDs they use which may or maybe > questionable. > > A spy may have say 6 IDs - the IDs are fictitious but the person is real. You > have lots of > family and friends - who they are - what they are changes overtime and > changes because of > the conditions under which you meet them - they could be a Father a > Professor - an Olympic > Javelin thrower - then Retired - then dead. All these are IDs - which govern > your > behavioural interaction with that person. What do you trust? That you hear > them speak? You > have shaken them by the hand? Gone down the pub with them? > > In truth we can not say that all these IDs are "real" neither can we say they > are "false." > But we interact with them and so build a reality of behaviours - sharing > common interests > and values and beliefs. Just like all these people on this mailing list. > People are real. > Though they may have many identities. > > It is common practice to accept people at "face value" - even if you only > "know" them from > being on a mailing list. It is by common interaction "communication" that one > reinforces > one's own belief systems and we accept the commonly held belief that we are > interacting with > a real person - we through our own perception then make judgements about that > person - we > like them or we don't - we admire and respect them or we don't we trust what > they have to > say or we don't. > > We make value judgements about real people - no matter what ID they present > to us. It's the > "face value" which is the key. Have we met the person? We affirm the reality > of people via > our social networking. Mary knows Bob - Bob knows Harry and Harry knows Mary. > You can ask > Bob and Harry to confirm that it is really is Mary that you are talking too. > We all can > confirm to some degree the reality of Werner Koch - by what he does. But I > have not met him > in any social network other than this and other mailing lists. > > So people on this mailing list "know" that Werner Koch is "real." You can > send him an > encrypted e-mail and if he has your public key reply to you. The "reality" is > we make people > "personal" to ourselves by interacting with them. If we don't interact we > don't build any > models in our minds. If say 5 people said that they had actually met Werner > in the flesh - > at face value - you would accept that Werner Koch was who he said he was. > > We assign material documents to give validity to real people. People come > first not the > documentation. A public key is such a document. A person may generate many > public keys - the > person is the real validity. You do not affirm a level of trust in the public > key. You > affirm a level of trust in the person. So all your public keys are > untrustworthy except for > those people that you have met. So even though I and many others have > exchanged e-mails with > Werner Koch his public key remains untrusted. > > Likewise you can not meet face to face with a bit of software though you may > affirm its on > your computer and you may affirm by interacting with it - the fact remains > the public key > remains untrustworthy. > > I have lots of keys - 98 per cent are "untrustworthy." It's normal. It is not > the same as > having the perception of an untrustworthy person - which is based on our > perception oof the > value system we place on their behaviours. A public key is a static document > - whereas > people - those that are alive have values belief systems and behaviours that > interact with > other human beings out of common interests and goals. Some people have a mind > set that says > "that person is real therefore their documents are real." Then they form > value judgements on > that documentation - to trust or not to trust - as though they were > interacting with real > people. > > In reality we can not judge the value of documents. In reality we can judge > the value of > people. We make value judgements about people all the time - based on their > interaction with > us - our mood - how we feel at any given time. We interpretate according to > our reality and > perceptions. > > What is our "reality" about public key encryption? The validation of public > keys? The > validation of real people? We almost forget why we want public key encryption > - so that only > the recipient can read our e-mails. The "recipient" is a person - their > public key is merely > a tool to which software on your computer can encrypt to their public key. > That's the only > reality a public key has. It is not a seal of authenticity - not a rubber > stamp. It has no > power vested in it as to give "authority." It is merely a means for secure > communications > over an insecure network. > > The web of trust - signing people's keys is based on people meeting face to > face and > interacting in a social network - it is not about the level of trust one has > in the public > key. A keys "validity" is it works. The validity is the recipient of an > encrypted message > can decrypt it. All keys are valid in this respect. They are in a sense all > trustworthy. All > keys do what they say they can do. Without any failure. So you need not set > any level of > trust on keys because they work perfectly. > > The "trust" is in the person - not the public key. So some would argue that > signing Werner's > key is crazy - has no logic and a miss-placed value system. I'd have to agree. > > David > > > Hello Sam,
First off - it's normal to have most of your keys as "untrusted." It does not matter how many other people have signed that public key - you have not met that person have not verified them vis some photo id and not met them in a social context. Most people are normal users of pgp - I suspect there are few secret government agents - not that they are likely to say so :) though some believe them to be everywhere. Gnupg works perfectly signing and setting a level of trust is to do with building the web of trust - and that is all about people. It is about holding key-signing parties - developing your social network of pgp users - through family friends work colleagues club members - and the wider world. To find out more visit http://gbenet.com/blog David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com/blog -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP1Tw7AAoJEOJpqm7flRExupgH/0VfmtF6CBW6HVbz5nCSrVZA yEhzcSJquJkkEVlZN30poFQA2L6d7krJl5LYY9t5zpYBvN6v0kl/0aaU3aVjxxL7 OIL1OpH3GktUKashbtXPqEpb1N3VtoTeYJaSaguBuQHV3o6g/o+g+7kdauKlQWoq n9fbbdl61mDICn3RrELKVOrPYKz0W22NGHVjEbU8zq/Kvhz1vPD+ZyiwHj4xHx8D 1A7LqRA+yXQ07J5mNQbZt2//Vs7Q8INOXs1sGkbwkHUtQ0V68KpM//FaPaaMfhZz L1WVUMsDdM+c619cKPMNsD+14DhIVNi4hiCvasDRFv+QMclzEYNO9O4mx+lBqsk= =QF1U -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
