On 09/06/12 15:44, Robert J. Hansen wrote: > I'm not weighing in on what the mechanism should be: I don't get to declare > what anyone else's policy should be.
I was under the impression you did. I interpreted your mail and particularly the statement > but this either is or isn't a proper verification, and there's no > in-between. as meaning that there is only one correct way to do a proper verification. From your reply, I understand now you did not mean it like that. I was already quite puzzled about my interpretation because it didn't sound like you :). >> It doesn't really matter how many Werner Kochs there are. > > Sure it does. As an absurdist thought experiment, let's think of a nation -- > call it Kochistan. In Kochistan, everyone is required to have the name > Werner Koch. Most people in Kochistan are honest. If you ask them if > they're *the* Werner Koch, they'll tell you no, they're not. Funnily, we're saying the same thing. You yourself said you don't particularly care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or ... Then why are you interested in the number of Werner Kochs? The thing I'm interested in: is the source of GnuPG I downloaded actually the program we know and love. I'm at this point not interested in the fact that Werner Koch is a main developer of it, or what his proper name is. For all I know his birthname indeed is Horace. He might as well have given the UID "GnuPG dist sig" to the key, instead of "Werner Koch (dist sig)". The only reason we are talking about "the" Werner Koch is that his name is in the UID, which might as easily not have been. As I said, the number of Werner Kochs is insubstantial. > I don't trust crowdsourcing to verify GnuPG. If someone or some group > subverts that system my exposure might be much greater and I might not learn > about it for quite some time. So how did you verify your GnuPG source? If you say "I asked a close friend", my counterquestion is: How did he/she? What I want to know is: what bootstrapped the confidence that the key was the proper GnuPG dist sig? Personally, I did it by checking from a number of locations that the key making the signature is the same from wherever I try. Also, I spread the checks over a substantial period of time. If the website got hacked, I hoped it would come out in that period of time. It did not at any point include the quantity of Werner Kochs. Now, if I wanted more satisfaction, I would indeed turn to this mailing list, ask members whether they see the same fingerprint, and check the replies from several locations to see that from wherever I check, the replies are identical. Again add a little time to allow for members to write to the mailing list "Hey I did not write that reply!" in case of impersonation. Hopefully at least one person would notice and expose the deception. And I do not see this process as, to quote you, "certifiably crazy" at all. It would perhaps be if I only checked it from the same computer as where I downloaded the source and signature and keyblock, but nowhere is it stated this is the case. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users