On 06/08/2012 05:37 PM, Sam Smith wrote: > I downloaded the GnuPG program. I then ran --verify and was told that > the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a > key server and then asked people on this mailing list to confirm that I > downloaded a legit key. Several people on this mailing list confirmed > the fingerprint of this key as a legit key. I then marked the key as > trusted because I verified the fingerprint.
I hate to give an unclear answer, but this either is or isn't a proper verification, and there's no in-between. Before you go about thinking that's a pointless answer, please: I promise you that it's a completely accurate answer, and understanding why it's accurate will help you understand the nature of verification. The ancient Greeks had a branch of philosophy that was concerned with the nature of knowledge: not just what did we know, but how is it that we knew it, and on what basis did we trust it? This branch was called epistemology, and verification is an epistemological question. All right, you have a certificate and you know it's truly Werner's release signing certificate: but *how do you know it*? The gold standard of such knowledge involves meeting Werner face-to-face, checking his passport, verifying that it's a real passport and not a forgery, receiving his certificate fingerprint directly from him, emailing him at that address to confirm that he truly has access to the address listed, and so forth. If you were to do this many people on this list would nod appreciatively and say that yes, this is a proper verification. Some might shake their heads and say no, it's not: you only verified you were speaking with *a* Werner Koch who had access to *the* Werner Koch's email address, not that you were speaking to *the* Werner Koch. And, you know what? They'd be absolutely right. Ultimately, whether a given verification process rises to the bar of sufficiency is a personal decision. There is no absolute standard. As a result of this, you can only ever rely on being able to satisfy yourself -- there will always be people out there who believe your verification process is insufficient. And that's why your process either is or isn't a proper verification, and why there's no in-between. If you can honestly say that you understand the risks of asking the list, that you've considered those risks and you're comfortable doing things this way, then sign that certificate with a clear conscience and don't let anybody tell you that you're doing it wrong. Me, I think your process is certifiably crazy and I would never, ever do it that way. But you know what? I don't get to control your decisionmaking process and I don't think you should put any stock in my opinion. After all, I'm just a guy on the internet whom you've never met. You have no idea if I'm a bulwark of sanity or if I bark at the moon on a regular basis. :) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users