Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/12 00:15, Sam Smith wrote: > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to > guard against. > > My efforts to verify the fingerprint are the best way to do this, correct? > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 >> From: pe...@digitalbrains.com >> To: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> >> On 06/06/12 17:58, Mika Suomalainen wrote: >> >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> > Looks correct. >> > >> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: >> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key >> > 4F25E3B6: public key "Werner Koch (dist sig)" imported >> >> I agree it appears he has the correct key. I did a local sig on it after what >> checking I seemed to be able to do without meeting people in person. >> >> But it's a bit unclear to me on what basis you decided it looked correct? >> Your >> mail suggests to me that you decided that based on the fact that the UID on >> that key is "Werner Koch (dist sig)". But that would be the very first thing >> a >> potential attacker would duplicate in his effort to fool our OP. Even if he's >> using MITM tricks to subvert his system, he can still post his personally >> generated key to the keyserver with this UID. >> >> Peter. >> >> PS: I briefly considered signing this message, because the attacker might >> MITM >> my message to the OP. Then I realised what good that signature would do :). >> >> -- >> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >> You can send me encrypted mail if you want some privacy. >> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Sam, You are a little confused - you ask ask "can some one verify the gnupg fingerprint for pubkey" and you use Verners key to verify gnupg. Then you worry about impersonation - now clearly Verner and gnupg have different keys. Or don't you know that? Clearly you failed to follow my link and clearly you failed to check the public key for gnupg. Now being a little confused try and get a clear question in your mind - is it Verner's key that you have such a passion to verify or gnupg? Verner's had about three keys two of which have expired - to the best of my knowledge he's a real person - he even maintains this list. You could always try encrypting an e-mail to his public key asking him if he's a real person. I'd suggest you not do the same for the public key of gnupg. People generate a private and a public key imaginary people don't do this - granted some one can set up a false ID and create a set of keys - but though they have created a false ID to do so they are nevertheless real people. If you are so concerned about Verner's key why not take a trip to Germany and arrange to meet him? You can't meet the gnupg (as its a bit of software) but you can verify it's running on your computer. All your keys are "untrusted." Everyone of them - apart from your own public key. They all remain so until you actually meet that person and verify that they are who they say they are. You carefully check their passport their driving licence. But gnupg has not got a passport or a driving license. The only way you can check if gnupg is real is to check if it's running on your computer gpg --version - this will tell you if you have the software installed. If it's installed and working correctly it must be real. What if that fails? Well you do the same thing gpg2 --version and hope that Verner does not pop up and say "Hello." David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP0CzCAAoJEOJpqm7flRExrRoH+gIVpmZ+pLRh3iT13AzX7oUn qcJ8F9WT8RvfpTEK4gWPmu6MXmSVLbIvzJPcQswVFCGSgHeisIxkKSdZzXzsV1Ay Yge0MPrZIxR/xA8ZJFC2+Oirx7ERPf615neoIAFwGu6Ern4XHWS7D2iCpfdknFfe B2zmQGHhHmonZG99MOUyAAO9ndDxeXtBMxcTFFPn3ilSqErQ3Xhc9uDOaSWG5uc+ prgXt8E9Ku4sptk7vDnArxri5i5xs6QAxP7JzGYZda/9vqyDfj5ZniIht+8VAu3x eugnoPGyyBiJJ/blmeRoizbqG2xwwxkpb9lE8/cCPKw/4pdUo+638IGd2LXYkp8= =5tt8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/06/2012 07:15 PM, Sam Smith wrote: > My efforts to verify the fingerprint are the best way to do this, correct? "Best" is a relative term. The gold standard for validation involves meeting someone who claims to be Werner Koch, asking him for his passport, checking that his passport identifies him as Werner Koch and that all the anti-forgery measures are in place on the document, and having him tell you directly what his certificate fingerprint is. Of course, this just establishes you have the certificate of *a* Werner Koch, and maybe not the one you want. Certificate validation is a surprisingly hard thing to do. Sorry. :( ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against. My efforts to verify the fingerprint are the best way to do this, correct? > Date: Wed, 6 Jun 2012 21:54:01 +0200 > From: pe...@digitalbrains.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > On 06/06/12 17:58, Mika Suomalainen wrote: > >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > Looks correct. > > > > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > > 4F25E3B6: public key "Werner Koch (dist sig)" imported > > I agree it appears he has the correct key. I did a local sig on it after what > checking I seemed to be able to do without meeting people in person. > > But it's a bit unclear to me on what basis you decided it looked correct? Your > mail suggests to me that you decided that based on the fact that the UID on > that key is "Werner Koch (dist sig)". But that would be the very first thing a > potential attacker would duplicate in his effort to fool our OP. Even if he's > using MITM tricks to subvert his system, he can still post his personally > generated key to the keyserver with this UID. > > Peter. > > PS: I briefly considered signing this message, because the attacker might MITM > my message to the OP. Then I realised what good that signature would do :). > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/06/12 17:58, Mika Suomalainen wrote: >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > Looks correct. > > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > 4F25E3B6: public key "Werner Koch (dist sig)" imported I agree it appears he has the correct key. I did a local sig on it after what checking I seemed to be able to do without meeting people in person. But it's a bit unclear to me on what basis you decided it looked correct? Your mail suggests to me that you decided that based on the fact that the UID on that key is "Werner Koch (dist sig)". But that would be the very first thing a potential attacker would duplicate in his effort to fool our OP. Even if he's using MITM tricks to subvert his system, he can still post his personally generated key to the keyserver with this UID. Peter. PS: I briefly considered signing this message, because the attacker might MITM my message to the OP. Then I realised what good that signature would do :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06.06.2012 15:54, Sam Smith wrote: > Can someone please verify that I have the legit public key to > verify GnuPG with? I checked the website but the Fingerprint is not > given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Looks correct. ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported gpg: waiting for lock (held by 9266) ... gpg: waiting for lock (held by 9266) ... gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 4 signed: 11 trust: 3-, 0q, 0n, 1m, 0f, 0u gpg: next trustdb check due at 2012-07-29 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPz34YAAoJEE21PP6CpGcocvwQAMZAe32LbQoKUC/3EQNrlvMS qUe6RPCfvViMU/idRilrQ/tvbqxu+iF1HiOz3IIphylRH+V46qVnosxn0qFQ5Vdo HvmBM66ILw4EGWBmCFQJHuq7ad3gmCP7fee/Umg1TPE0JSk9Q3tfPIniKdqGlL6t PNjMeQDnCrAyNgfAt39TGU/g5bz6hKdGFMnFCxc5uWOAtOVK+mrjgGV+XH1dtUFC oRa3EYsyEbBrYAXxLwBPRTv2xbGzwHf3y7gzBC8qA3u8YBTrTWWLaN+TQx1H9HM2 CsFtbK0PLkgwMJdPBxr9pNswi8nqKHBUy+g3AyWCTIBH4Sffx2NFMh3pu9x4JJYt wVsT0KBHyjnSQfYuAPjAOyX3/LCRvMJ4JCIOLihIG01F/QR19IrJ79FaSkMnCR9G oXTiA+EJZXtmb1+ivjZz1GCCUzEMZNcRi0xmFQbo3S5RJNT2huB3JJ28mzNbxfxt 4HR5R3CBYFo+EY82Y52vO+sKIWPsK/sbM/umRe5f9xrGDW58W1AweQy3UjDhAuE2 GS7/dYFQo1pD0SmwFBCIycMvAkT64HyjSNDCqTHPr8u0Srjr6pzeRYWnUPrlHLDz Ud3tsNrnP1lRo0Xr/Zz6bXgYaefb1MGGPxSrTesOajbVaf+5I0IRVYoiJiOgN38L tP+CwKfm64DX5WJdcsnt =1WBF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/06/12 13:54, Sam Smith wrote: > Can someone please verify that I have the legit public key to verify GnuPG > with? I checked > the website but the Fingerprint is not given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Hello, You want to go to this link > http://gnupg.org/signature_key.en.html and select the public key block - then copy then open whatever gnupg frontend you have and import from clipboard David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPz3WOAAoJEOJpqm7flREx+oIIAKnveVZkvxaMEqAPNk/cIxrM 7/v56CJ+vDZPz0rL9yBv5F8WxLDmle8oB/RvLsnHR5qGwqgkltDDv5uxn3rq9EHy fTry8ObW45HzkAsS4+DlAXq61eDIwtxCo2dhzVzwWExQf4UKlh2r27Kqi6tV8apG PEwVLo4JC3hVAp6OX1PNo+ydbRERSI/aeCGalhNN8/dBZuHEcguTGGe6WGJcPLU4 pMrSIXwge3czFj8OYj/XQ/OChvZva0UIEpuLZKUQTmdM7aD1GAKgAoFnKWlzGzIW VjO116fyuldvTNkl9mXNqX7lwlZbLPKMWT2YZst/FQCDeq01tTN2G49IzeXEoI4= =Ream -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Wednesday 06 of June 2012 09:39:12 Sam Smith wrote: > Yeah, thanks. It's the key that signed the .sig and the one I needed to > download to verify. I downloaded it from a Key Server--don't know how else > to get the public key. > > I checked the gpg package legitimacy on a computer that already had gpg > installed. But wanted to make sure I had a legit pub key for the new > machine i was building. Thanks! > > Is there another way to verify the legitimacy of a downloaded public key? > (assuming you don't know any of the other sigs on the pub key that is, > obviously). Or is asking on a user list like this the recommended way? >From security perspective, the public key and (long) fingerprint are synonymous. In other words, as long as the fingerprint matches the certificate, it doesn't matter where you get the certificate from. But this only holds true if you trust the validity of fingerprint. Regards, Hubert Kario > > Date: Wed, 6 Jun 2012 09:31:15 -0400 > > From: shavi...@gmail.com > > To: gnupg-users@gnupg.org > > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > > > Sam Smith June 6, 2012 > > 9:25:37 AM wrote: > > > > Sam Smith wrote on 6/6/12 8:54 AM: > > > Can someone please verify that I have the legit public key to verify > > > GnuPG with? I checked the website but the Fingerprint is not given > > > anywhere. > > > > > > I got this Fingerprint for the Public Key I downloaded > > > > > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > That's the fingerprint for Werner Koch (dist sig): > > > > pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC > > > > trust: [] validity: [] > > > > sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A > > [] (1). Werner Koch (dist sig) > > pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) > > Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > > > > > Hope this is what you were looking for. > > Charly > > Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 > > Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Yeah, thanks. It's the key that signed the .sig and the one I needed to download to verify. I downloaded it from a Key Server--don't know how else to get the public key. I checked the gpg package legitimacy on a computer that already had gpg installed. But wanted to make sure I had a legit pub key for the new machine i was building. Thanks! Is there another way to verify the legitimacy of a downloaded public key? (assuming you don't know any of the other sigs on the pub key that is, obviously). Or is asking on a user list like this the recommended way? > Date: Wed, 6 Jun 2012 09:31:15 -0400 > From: shavi...@gmail.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > Sam Smith June 6, 2012 > 9:25:37 AM wrote: > Sam Smith wrote on 6/6/12 8:54 AM: > > Can someone please verify that I have the legit public key to verify > > GnuPG with? I checked the website but the Fingerprint is not given anywhere. > > > > I got this Fingerprint for the Public Key I downloaded > > > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > That's the fingerprint for Werner Koch (dist sig): > > pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC > trust: [] validity: [] > sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A > [] (1). Werner Koch (dist sig) > pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) > Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > Hope this is what you were looking for. > Charly > Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 > Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Sam Smith June 6, 2012 9:25:37 AM wrote: Sam Smith wrote on 6/6/12 8:54 AM: > Can someone please verify that I have the legit public key to verify > GnuPG with? I checked the website but the Fingerprint is not given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 That's the fingerprint for Werner Koch (dist sig): pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC trust: [] validity: [] sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A [] (1). Werner Koch (dist sig) pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Hope this is what you were looking for. Charly Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
can someone verify the gnupg Fingerprint for pubkey?
Can someone please verify that I have the legit public key to verify GnuPG with? I checked the website but the Fingerprint is not given anywhere. I got this Fingerprint for the Public Key I downloaded D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon needs restarting after removing OpenPGP smartcard
On 2012-06-05 at 17:55 +0200, Werner Koch wrote: > gniibe: You reported a couple of other possible problems. Do you thing > we should go after them for a 2.0.20? My changes are basically two areas in master branch. (1) Fix of ccid-driver.c for partial support of extended APDU. This was needed for Gnuk (< version 0.16). (2) Pinpad input enhancement for passphrase modification. Besides, I know there is a problem in scd_update_reader_status_file, which was repoprted the other day, but I haven't fixed yet. I think that access to the object of "struct slot_status_s" should be locked. I'll lock into those for backporting. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Tue, 5 Jun 2012 19:22, r...@sixdemonbag.org said: > I can add these: it shouldn't be a problem. The reason I'm using XHTML, > incidentally, is to make it as easy as possible for you to convert it > into org-mode: an hour's work with a SAX parser should be able to take > care of most of it. If I knew the first thing about org-mode I'd write > the script myself. org-mode is pretty easy to understand. The current faq.org should be sufficent as an example. Redering it to txt and html is a quick 10 lines rule in doc/Makefile.am. Add ~4 lines for each other format (PDF, ODT, Latex, XOXO, DocBook). Let me give the conversion a try once you are finished. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Tue, 5 Jun 2012 22:26, kloec...@kde.org said: > Supports GnuPG versions: 1.4, 2.0 FWIW: Kontact Touch has been developed against GnuPG 2.1. I am not sure whether it works with 2.0. The Linux version will likely work but the WindowsCE version won't work - but well, nobody is using the latter. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users