On Sat, May 13, 2017 at 03:18:39PM -0500, Andrew David Wong wrote: > There are many other methods you could use to attempt to verify the > master key fingerprint aside from relying on the Qubes website. Here's > a brief, non-exhaustive list: > > * Use different search engines to search for the fingerprint. > * Use Tor to view and search for the fingerprint on various websites. > * Use various VPNs and proxy servers. > * Use different Wi-Fi networks (work, school, internet cafe, etc.). > * Ask people to post the fingerprint in various forums and chat rooms. > * Check against PDFs and photographs in which the fingerprint appears > (e.g., slides from a talk or on a T-shirt). > * Repeat all of the above from different computers and devices.
Don't forget the PGP web-of-trust. For me personally this is a very short trust path with multiple connections. For example: 1) my PGP key is 0x7FAB114267E4FA04 2) I've signed Nicolas Vigier (boklm)'s key, IIRC after a keysigning a few years back at a Tor conference. 3) Nicolas Vigier has signed the Qubes Master Signing Key. Which you can see here: https://pgp.cs.uu.nl/paths/7fab114267e4fa04/to/2067001b1b678a63.html A few more paths: Me to Ola Bini: https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=295c746984af7f0c&PATHS=trust+paths Me to Holger Levsen: https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=091AB856069AAA1C&PATHS=trust+paths Unfortunately the tools to actually find these paths all kinda suck, but they do at least the paths exist. The one I used to find the above is https://pgp.cs.uu.nl/, however it has the significant limitation that it only works for keys in the "strong set" - the Qubes signing key is *not* in that set because it has never signed another key that is in that set. IMO the Qubes project should fix this. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170513232121.GA12406%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature