da...@gbenet.com wrote:
insanely ridiculous amount of untrimmed quoted noise snipped
Hello Sam,
Most people are normal users of pgp - I suspect there are few secret
government agents - not that they are likely to say so :)
though some believe them to be everywhere.
Secret agents may or
...@signal100.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address
and other signatures as
you said in your email ) and covers other aspects of how GPG works with
regards to the PGP model?
From: w...@gnupg.org
To: smick...@hotmail.com
CC: da...@gbenet.com; gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
Date
On 09/06/12 22:55, Robert J. Hansen wrote:
I apologize for not understanding sooner
There's no need for that :)
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
On Sat, 9 Jun 2012 11:28, markr-gn...@signal100.com said:
Do you know of any common modern browsers that have finger protocol
support built in? I wonder, how many people even have a finger client
Indeed they must have dropped finger recently. I don't known when I
checked the last time, but
, 9 Jun 2012 06:09:54 +0100
From: da...@gbenet.com
To: smick...@hotmail.com
CC: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/06/12 22:41, Sam Smith wrote:
Another thing is that downloading
@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your web browser (in case
To: r...@sixdemonbag.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
CC: gnupg-users@gnupg.org
On 09/06/12 15:44, Robert J. Hansen wrote:
I'm not weighing in on what the mechanism should be: I don't get to declare
what anyone else's policy should be.
I was under
works with regards
to the PGP model?
From: w...@gnupg.org
To: smick...@hotmail.com
CC: da...@gbenet.com; gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
Date: Sat, 9 Jun 2012 10:19:37 +0200
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said
On Sun, 10 Jun 2012 16:03, smick...@hotmail.com said:
I wasn't going to say anything, but I had no idea what Mr. Koch was
talking about with that finger stuff. I studied his email and the
email header looking for clues. Couldn't decipher what he meant.
I am sorry about this. Most of the time
On Sun, 10 Jun 2012 16:36, smick...@hotmail.com said:
Mr. Koch, can you (or anyone else) recommend a book that is good for
novices like myself that covers GPG public keys and can help me learn
how to verify identity based on the chain of trust (self-signatures
and other signatures as you said
On 06/10/2012 10:36 AM, Sam Smith wrote:
Mr. Koch, can you (or anyone else) recommend a book...
Michael W. Lucas, PGP GPG: Email for the Practical Paranoid, No
Starch Press, 2006.
http://www.powells.com/biblio/62-9781593270711-0
for the instruction, guys. I appreciate the time and energy you guys
spent writing the emails to me. means a lot to me.
Date: Sat, 9 Jun 2012 06:09:54 +0100
From: da...@gbenet.com
To: smick...@hotmail.com
CC: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David --
Please consider using clear signatures instead of conventional
signatures. If someone looks in the list archives they'll see a huge
opaque blob of text they can't read. Likewise if someone tries to
read your email on a system that
On 06/10/2012 11:25 PM, Robert J. Hansen wrote:
Please consider using clear signatures instead of conventional
signatures.
My apologies: you're sending it with Base64 encoding instead of as
text/plain. With that correction my comment still applies: it's much
harder for those viewing the list
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07.06.2012 19:52, Robert J. Hansen wrote:
On 6/7/12 12:32 PM, Werner Koch wrote:
That is actually a bit funny: I never asked anyone to sign that
key. Probably they deduced the correctness from my regular key
which I used to sign the above key.
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said:
Another thing is that downloading the key from that link you provided
is no guarantee of safety in and of itself either because the page is
not being hosted over SSL with confirmed identity information. So
That is not relevant. The key
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your web browser (in case you don't know what
finger is) and you will see
Just as an aside, I
Please consider trimming your quotes. The amount that's going on here
strikes me as pretty excessive. I'm not standing on a chair and
screaming that you're doing it wrong, of course: this is just a friendly
request to please trim your quotes. :)
The whole idea behind the web of trust is that
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a finger
address - enter it into your web browser (in case you don't know what
On 09/06/12 02:22, Robert J. Hansen wrote:
Some might shake their heads and say no, it's not: you only verified you were
speaking with *a* Werner Koch who had access to *the* Werner Koch's email
address, not that you were speaking to *the* Werner Koch.
So how /do/ you verify that you have the
Hi!
Perhaps it would be worthwhile to add a question to the signing
process: Have you met this person face-to-face and verified
his/her identity? (y/N) If the user answers no, display a warning
that the user probably wants to lsign, not to sign, and give the
option of making an lsign
On 09/06/2012 12:05, michael crane wrote:
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your
On 06/09/2012 07:21 AM, Peter Lebbing wrote:
So how /do/ you verify that you have the distribution key for GnuPG?
By fiat. You go through some mechanism and at the completion declare,
I am satisfied that the likelihood of this *not* being the correct
distribution key is quite low. I'm not
On 06/09/2012 09:44 AM, Robert J. Hansen wrote:
It doesn't really matter how many Werner Kochs there are.
Sure it does. As an absurdist thought experiment...
An anecdote might work better than an absurdist thought experiment, come
to think of it...
=
In the United States, the
On 09/06/12 15:44, Robert J. Hansen wrote:
I'm not weighing in on what the mechanism should be: I don't get to declare
what anyone else's policy should be.
I was under the impression you did. I interpreted your mail and particularly the
statement
but this either is or isn't a proper
On 06/09/2012 11:05 AM, Peter Lebbing wrote:
your reply, I understand now you did not mean it like that. I was
already quite puzzled about my interpretation because it didn't sound
like you :).
Thank you for giving me the benefit of the doubt. :)
Funnily, we're saying the same thing. You
On 09/06/12 17:17, Robert J. Hansen wrote:
My bootstrap is I trust my Linux distribution. My distro is a trusted
software provider, in the traditional security sense of a trusted
provider. If I receive software from an official Fedora repo and it is
signed by the repo release team, that's
On Sat, June 9, 2012 2:29 pm, Mark Rousell wrote:
snipped
What types of processes are forbidden by DreamHost?
[deletia]
Err.. sorry, not following you. :-) Who is using Dreamhost and what has
it got to do with the finger protocol? Werner doesn't seem to be using
Dreamhost for what it's
On 06/09/2012 11:57 AM, Peter Lebbing wrote:
Suppose you would want to build from the vanilla source downloaded from
gnupg.org and signed by Werner Koch (dist sig), how would you verify
authenticity of that key?
I don't understand where this question is going. I would find some
trusted path,
On 09/06/12 20:05, michael crane wrote:
I'm using dreamhost. I appreciated that it seems quite handy to have all
that random characters stuff outside of the message body and I was
pointing out that it it is not universally accepted to have daemon thingys
like finger running so limiting the
On 09/06/12 20:47, Robert J. Hansen wrote:
On 06/09/2012 11:57 AM, Peter Lebbing wrote:
Suppose you would want to build from the vanilla source downloaded from
gnupg.org and signed by Werner Koch (dist sig), how would you verify
authenticity of that key?
I don't understand where this
On 6/9/2012 4:14 PM, Peter Lebbing wrote:
Where the question is going is rather simple: what would you
recommend Joe Average User to do to verify the authenticity of the
GnuPG source he downloaded, not questioning his desire to build from
that source.
Ah, I see. I apologize for not
.
Date: Thu, 7 Jun 2012 05:23:43 +0100
From: da...@gbenet.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/06/12 00:15, Sam Smith wrote:
yes, impersonation of the UID [Werner Koch (dist sig
the link that you provided.
Date: Thu, 7 Jun 2012 05:23:43 +0100
From: da...@gbenet.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/06/12 00:15, Sam Smith wrote:
yes, impersonation
On 06/08/2012 05:37 PM, Sam Smith wrote:
I downloaded the GnuPG program. I then ran --verify and was told that
the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a
key server and then asked people on this mailing list to confirm that I
downloaded a legit key. Several people
technically there's
no guarantee I'm actually interacting with teh GnuPG.org website.
Date: Thu, 7 Jun 2012 05:23:43 +0100
From: da...@gbenet.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/12 00:15, Sam Smith wrote:
yes
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
But it's a bit unclear to me on what basis you decided it looked correct? Your
mail suggests to me that you decided that based on the fact that the UID on
that key is Werner Koch (dist sig). But that would be the very first thing a
If
+0200 From:
pe...@digitalbrains.com To: gnupg-users@gnupg.org Subject: Re:
can someone verify the gnupg Fingerprint for pubkey?
On 06/06/12 17:58, Mika Suomalainen wrote:
D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Looks correct.
``` % gpg --recv-keys
..
The subject of your e-mail is: can someone verify the gnupg Fingerprint for
pubkey?
I gave you a direct link to import gnupg's public key - but pointed out to you
that the
normal procedure for verification would not work i.e all your public keys are
by default
untrustworthy and that the only way
misspelling Werner's name. It's Werner,
not Verner.
As to the question: can someone verify the gnupg Fingerprint for
pubkey? The answer is no. Why? It is not a person but a bit of
software.
The certificate belongs to someone. If Werner were to appear before me
with his passport and said I control
that
gnupg is
running on your computer gpg/2 --version..
As an FYI, you are consistently misspelling Werner's name. It's Werner, not
Verner.
As to the question: can someone verify the gnupg Fingerprint for pubkey? The
answer
is no. Why? It is not a person but a bit of software
On Thu, 7 Jun 2012 17:59, mika.henrik.mai...@hotmail.com said:
% gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
uid Werner Koch (dist sig)
sig 58DFC608 2011-06-11 Andrey ...
sig 30B94B5C
On 6/7/12 12:32 PM, Werner Koch wrote:
That is actually a bit funny: I never asked anyone to sign that key.
Probably they deduced the correctness from my regular key which I
used to sign the above key. That is not a surprise; I have seen
many signatures on my keys from people I never met.
On 6/7/12 1:05 PM, Sam Whited wrote:
It would also just be an unwanted extra step for a lot of people.
Yes. And there are doubtless a large number of people who really don't
want to have to type in their new passphrase twice, too. We make them
do it anyway.
Objecting to it on the grounds of I
On Thu, Jun 7, 2012 at 1:22 PM, Robert J. Hansen r...@sixdemonbag.org wrote:
Yes. And there are doubtless a large number of people who really don't
want to have to type in their new passphrase twice, too. We make them
do it anyway.
Yes, but that actually serves a purpose, it prevents people
On 6/7/12 2:10 PM, Sam Whited wrote:
...yes, it's hardly onerous, but it's still one extra step that does
nothing for more advanced users (except perhaps when they haven't
had enough coffee early in the morning :) ).
Friend of mine, a former law-enforcement officer, is a big believer in
On Thu, June 7, 2012 11:27 am, Werner Koch wrote:
snipped
If you look at my OpenPGP mail header you will be pointed to a
âfingerâ
address - enter it into your web browser (in case you don't know what
finger is) and you will see
I see that it would be handy to have this stuff in the
Can someone please verify that I have the legit public key to verify GnuPG
with? I checked the website but the Fingerprint is not given anywhere.
I got this Fingerprint for the Public Key I downloaded
D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Sam Smith snt123-w473749522376a8d4b7b6eac2...@phx.gbl June 6, 2012
9:25:37 AM wrote:
Sam Smith wrote on 6/6/12 8:54 AM:
Can someone please verify that I have the legit public key to verify
GnuPG with? I checked the website but the Fingerprint is not given anywhere.
I got this Fingerprint for
:31:15 -0400
From: shavi...@gmail.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
Sam Smith snt123-w473749522376a8d4b7b6eac2...@phx.gbl June 6, 2012
9:25:37 AM wrote:
Sam Smith wrote on 6/6/12 8:54 AM:
Can someone please verify that I have
of fingerprint.
Regards,
Hubert Kario
Date: Wed, 6 Jun 2012 09:31:15 -0400
From: shavi...@gmail.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
Sam Smith snt123-w473749522376a8d4b7b6eac2...@phx.gbl June 6, 2012
9:25:37 AM wrote:
Sam Smith
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/06/12 13:54, Sam Smith wrote:
Can someone please verify that I have the legit public key to verify GnuPG
with? I checked
the website but the Fingerprint is not given anywhere.
I got this Fingerprint for the Public Key I downloaded
D869
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06.06.2012 15:54, Sam Smith wrote:
Can someone please verify that I have the legit public key to
verify GnuPG with? I checked the website but the Fingerprint is not
given anywhere.
I got this Fingerprint for the Public Key I downloaded
On 06/06/12 17:58, Mika Suomalainen wrote:
D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Looks correct.
``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key
4F25E3B6: public key Werner Koch (dist
verify the gnupg Fingerprint for pubkey?
On 06/06/12 17:58, Mika Suomalainen wrote:
D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Looks correct.
``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg
On 06/06/2012 07:15 PM, Sam Smith wrote:
My efforts to verify the fingerprint are the best way to do this, correct?
Best is a relative term.
The gold standard for validation involves meeting someone who claims to
be Werner Koch, asking him for his passport, checking that his passport
identifies
+0200
From: pe...@digitalbrains.com
To: gnupg-users@gnupg.org
Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/06/12 17:58, Mika Suomalainen wrote:
D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Looks correct.
``` % gpg --recv-keys
58 matches
Mail list logo
