Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 22:55, Robert J. Hansen wrote: I apologize for not understanding sooner There's no need for that :) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win
On Sat, 9 Jun 2012 18:35, jw72...@verizon.net said: When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure when it will be updated to include v2.0.19, but I was wondering The new beta has 2.0.19. whether there would be any problem from substituting the new version of gpgv2.exe for the older one? Thanks. Why do you want an older version of gpg2 ? It will work to some extend but it is not suggested. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, 9 Jun 2012 11:28, markr-gn...@signal100.com said: Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client Indeed they must have dropped finger recently. I don't known when I checked the last time, but back then Mozilla supported it. It is a bit stupid that they dropped the simplest protocol ever used on the net but keep on supporting the broken stuff (e.g. SSLv2, MD5). Anyway: gpg --fetch-keys still supports finger. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Okay. So please let me know if I understand correctly what I am supposed to do (or what you guys are recommending be done) with key signing: I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that signed the program. I download that KeyID from a keyserver. I now ask people on this list to verify the fingerprint of the key I got from the keyserver as a legit key. (So far this behavior is okay, right)? Since people on this list verified the fingerprint, I have enough confidence to verify the GnuPG program with the key. BUT I do not have enough confidence to mark the key (the one I got from the keyserver) as Trusted or to Sign the key because I have not met with Werner Koch in person and seen credentials. Summation of Proper Key Signing Behavior: 1.) I should NOT sign a key as trusted unless I have actually met with the person and seen his/her credentials. I can sign if I KNOW the person and verify the fingerprint with that person. But even these situations run the risk of dealing with a secret agent. Applying this rule, since I have not met Werner Koch, I should not sign his key. Verifying the fingerprint on a downloaded key is enough to use the key to verify software, but it's not enough to actually trust and sign the key. Hence using it to verify runs some risk because the key is not totally trustworthy. Every time I use Werner Koch's key to verify a GnuPG program, I will get the warning that I am verifying with an untrusted key. You guys all get this warning because all of you are also not signing keys (even if you've verified the fingerprint with others) because you have not met with all the people needed in order to sign all the keys you have. Right? You guys all get this warning whenever you gpg --verify, right? In short, I should always be seeing the notice that I have verified using an untrusted key when using Werner Koch's key unless/until I actually meet him and see credentials. The only time you guys don't see this notice when verifying a key is when you use a key that you have actually met the signer of face to face, right? Do I understand correctly. Is this all accurate? With this behavior, would I be doing Best Practices and what you guys all do? Thanks for the instruction, guys. I appreciate the time and energy you guys spent writing the emails to me. means a lot to me. Date: Sat, 9 Jun 2012 06:09:54 +0100 From: da...@gbenet.com To: smick...@hotmail.com CC: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/06/12 22:41, Sam Smith wrote: Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So technically there's no guarantee I'm actually interacting with teh GnuPG.org website. Date: Thu, 7 Jun 2012 05:23:43 +0100 From: da...@gbenet.com To: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 07/06/12 00:15, Sam Smith wrote: yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against. My efforts to verify the fingerprint are the best way to do this, correct? Date: Wed, 6 Jun 2012 21:54:01 +0200 From: pe...@digitalbrains.com To: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 06/06/12 17:58, Mika Suomalainen wrote: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Looks correct. ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key 4F25E3B6: public key Werner Koch (dist sig) imported I agree it appears he has the correct key. I did a local sig on it after what checking I seemed to be able to do without meeting people in person. But it's a bit unclear to me on what basis you decided it looked correct? Your mail suggests to me that you decided that based on the fact that the UID on that key is Werner Koch (dist sig). But that would be the very first thing a potential attacker would duplicate in his effort to fool our OP. Even if he's using MITM tricks to subvert his system, he can still post his personally generated key to the keyserver with this UID. Peter. PS: I briefly considered signing this message, because the attacker might MITM my message to the OP. Then I realised what good that signature would do :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org
RE: can someone verify the gnupg Fingerprint for pubkey?
I wasn't going to say anything, but I had no idea what Mr. Koch was talking about with that finger stuff. I studied his email and the email header looking for clues. Couldn't decipher what he meant. Date: Sat, 9 Jun 2012 10:28:04 +0100 From: markr-gn...@signal100.com To: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 07/06/2012 11:27, Werner Koch wrote: On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: If you look at my OpenPGP mail header you will be pointed to a “finger” address - enter it into your web browser (in case you don't know what finger is) and you will see Just as an aside, I presume you are referring to this header line: OpenPGP: id=1E42B367; url=finger:w...@g10code.com Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client installed (that their browser would be able to find)? -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
I have to agree with Peter. I mean, everyone has to trust someone/something at some point. I mean you trust Windows OS or your Linux Distro that it is not doing bad things. It is calling up all these APIs etc. Have your verified everything your OS does? Have your verified every signing key used by your Distro or Windows certificate? At some point you have to trust the integrity of something. And this trust is never going to be perfect. There should be caution and if you want assurance you should check sources. This was what I was trying to do by asking this list. I asked this list after I had already looked other places to verify the fingerprint. If absolute trust was sought for everything, nobody would ever be able to do anything because so few things would be trusted enough to move forward on anything. Date: Sat, 9 Jun 2012 17:05:05 +0200 From: pe...@digitalbrains.com To: r...@sixdemonbag.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? CC: gnupg-users@gnupg.org On 09/06/12 15:44, Robert J. Hansen wrote: I'm not weighing in on what the mechanism should be: I don't get to declare what anyone else's policy should be. I was under the impression you did. I interpreted your mail and particularly the statement but this either is or isn't a proper verification, and there's no in-between. as meaning that there is only one correct way to do a proper verification. From your reply, I understand now you did not mean it like that. I was already quite puzzled about my interpretation because it didn't sound like you :). It doesn't really matter how many Werner Kochs there are. Sure it does. As an absurdist thought experiment, let's think of a nation -- call it Kochistan. In Kochistan, everyone is required to have the name Werner Koch. Most people in Kochistan are honest. If you ask them if they're *the* Werner Koch, they'll tell you no, they're not. Funnily, we're saying the same thing. You yourself said you don't particularly care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or ... Then why are you interested in the number of Werner Kochs? The thing I'm interested in: is the source of GnuPG I downloaded actually the program we know and love. I'm at this point not interested in the fact that Werner Koch is a main developer of it, or what his proper name is. For all I know his birthname indeed is Horace. He might as well have given the UID GnuPG dist sig to the key, instead of Werner Koch (dist sig). The only reason we are talking about the Werner Koch is that his name is in the UID, which might as easily not have been. As I said, the number of Werner Kochs is insubstantial. I don't trust crowdsourcing to verify GnuPG. If someone or some group subverts that system my exposure might be much greater and I might not learn about it for quite some time. So how did you verify your GnuPG source? If you say I asked a close friend, my counterquestion is: How did he/she? What I want to know is: what bootstrapped the confidence that the key was the proper GnuPG dist sig? Personally, I did it by checking from a number of locations that the key making the signature is the same from wherever I try. Also, I spread the checks over a substantial period of time. If the website got hacked, I hoped it would come out in that period of time. It did not at any point include the quantity of Werner Kochs. Now, if I wanted more satisfaction, I would indeed turn to this mailing list, ask members whether they see the same fingerprint, and check the replies from several locations to see that from wherever I check, the replies are identical. Again add a little time to allow for members to write to the mailing list Hey I did not write that reply! in case of impersonation. Hopefully at least one person would notice and expose the deception. And I do not see this process as, to quote you, certifiably crazy at all. It would perhaps be if I only checked it from the same computer as where I downloaded the source and signature and keyblock, but nowhere is it stated this is the case. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Mr. Koch, can you (or anyone else) recommend a book that is good for novices like myself that covers GPG public keys and can help me learn how to verify identity based on the chain of trust (self-signatures and other signatures as you said in your email ) and covers other aspects of how GPG works with regards to the PGP model? From: w...@gnupg.org To: smick...@hotmail.com CC: da...@gbenet.com; gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? Date: Sat, 9 Jun 2012 10:19:37 +0200 On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said: Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So That is not relevant. The key (correct OpenPGP term is “keyblock” but sometimes also called “certificate”) is in itself secure; the included self-signature and signatures from other people shall be used to evaluate the identity of the key owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sun, 10 Jun 2012 16:03, smick...@hotmail.com said: I wasn't going to say anything, but I had no idea what Mr. Koch was talking about with that finger stuff. I studied his email and the email header looking for clues. Couldn't decipher what he meant. I am sorry about this. Most of the time I am in hacker mode and thus assume that everyone reading this list is a grey haired or bearded Unix old-timer. Those for sure now what finger is (i.e. a quick check whether someone is online and what his plans and projects are). But you are right: This is a _user_ mailing list and thus I would do a better jobs by briefly explaining such stuff. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sun, 10 Jun 2012 16:36, smick...@hotmail.com said: Mr. Koch, can you (or anyone else) recommend a book that is good for novices like myself that covers GPG public keys and can help me learn how to verify identity based on the chain of trust (self-signatures and other signatures as you said in your email ) and covers other aspects of how GPG works with regards to the PGP model? You may want to read the Gpg4win compendium: http://gpg4win.org/documentation.html It is marked as a beta version but there are no severe flaws in it. There are also a couple of HOWTO documents under http://gnupg.org . In a book store you should also find books on PGP. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/10/2012 10:36 AM, Sam Smith wrote: Mr. Koch, can you (or anyone else) recommend a book... Michael W. Lucas, PGP GPG: Email for the Practical Paranoid, No Starch Press, 2006. http://www.powells.com/biblio/62-9781593270711-0 http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712 Use whichever link you prefer: I use Amazon, but I know some people vastly prefer Powell's. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/06/12 14:59, Sam Smith wrote: Okay. So please let me know if I understand correctly what I am supposed to do (or what you guys are recommending be done) with key signing: I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that signed the program. I download that KeyID from a keyserver. I now ask people on this list to verify the fingerprint of the key I got from the keyserver as a legit key. (So far this behavior is okay, right)? Since people on this list verified the fingerprint, I have enough confidence to verify the GnuPG program with the key. BUT I do not have enough confidence to mark the key (the one I got from the keyserver) as Trusted or to Sign the key because I have not met with Werner Koch in person and seen credentials. Summation of Proper Key Signing Behavior: 1.) I should NOT sign a key as trusted unless I have actually met with the person and seen his/her credentials. I can sign if I KNOW the person and verify the fingerprint with that person. But even these situations run the risk of dealing with a secret agent. Applying this rule, since I have not met Werner Koch, I should not sign his key. Verifying the fingerprint on a downloaded key is enough to use the key to verify software, but it's not enough to actually trust and sign the key. Hence using it to verify runs some risk because the key is not totally trustworthy. Every time I use Werner Koch's key to verify a GnuPG program, I will get the warning that I am verifying with an untrusted key. You guys all get this warning because all of you are also not signing keys (even if you've verified the fingerprint with others) because you have not met with all the people needed in order to sign all the keys you have. Right? You guys all get this warning whenever you gpg --verify, right? In short, I should always be seeing the notice that I have verified using an untrusted key when using Werner Koch's key unless/until I actually meet him and see credentials. The only time you guys don't see this notice when verifying a key is when you use a key that you have actually met the signer of face to face, right? Do I understand correctly. Is this all accurate? With this behavior, would I be doing Best Practices and what you guys all do? Thanks for the instruction, guys. I appreciate the time and energy you guys spent writing the emails to me. means a lot to me. Date: Sat, 9 Jun 2012 06:09:54 +0100 From: da...@gbenet.com To: smick...@hotmail.com CC: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 08/06/12 22:41, Sam Smith wrote: Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So technically there's no guarantee I'm actually interacting with teh GnuPG.org website. Date: Thu, 7 Jun 2012 05:23:43 +0100 From: da...@gbenet.com To: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 07/06/12 00:15, Sam Smith wrote: yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against. My efforts to verify the fingerprint are the best way to do this, correct? Date: Wed, 6 Jun 2012 21:54:01 +0200 From: pe...@digitalbrains.com To: gnupg-users@gnupg.org Subject: Re: can someone verify the gnupg Fingerprint for pubkey? On 06/06/12 17:58, Mika Suomalainen wrote: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Looks correct. ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key 4F25E3B6: public key Werner Koch (dist sig) imported I agree it appears he has the correct key. I did a local sig on it after what checking I seemed to be able to do without meeting people in person. But it's a bit unclear to me on what basis you decided it looked correct? Your mail suggests to me that you decided that based on the fact that the UID on that key is Werner Koch (dist sig). But that would be the very first thing a potential attacker would duplicate in his effort to fool our OP. Even if he's using MITM tricks to subvert his system, he can still post his personally generated key to the keyserver with this UID. Peter. PS: I briefly considered signing this message, because the attacker might MITM my message to the OP. Then I realised what good that signature would do :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David -- Please consider using clear signatures instead of conventional signatures. If someone looks in the list archives they'll see a huge opaque blob of text they can't read. Likewise if someone tries to read your email on a system that doesn't have GnuPG installed. Secondly, your message was 253 lines of quoted text and 14 of your own text. This means that 94% of the message was quoted. This is a little outré. I'd appreciate it a great deal if you'd trim your quotes. You are certainly free to ignore me on those two counts, but I hope you'll do me the favor of considering them. Thank you. :) That said -- I suspect there are few secret government agents - not that they are likely to say so :) though some believe them to be everywhere. At least one person who has posted to this list is publicly affiliated with intelligence services, yes -- it's right there in his official bio. That said, there's a *huge* difference between normal guy who happens to be associated with the government is on this list and the kind of stuff the conspiracy theorists believe is happening, is actually happening. (I will not say who this person is. I once received a death threat from someone on this list who was convinced I was an FBI plant, threatened my life, declared me to be Satanic, and went so far as to look up my home address and phone number from WHOIS data in order to make the threat more credible. Given people like that exist, I feel being circumspect about this person's identity is the only responsible thing to do.) -BEGIN PGP SIGNATURE- iFYEAREIAAYFAk/VZT8ACgkQI4Br5da5jhBsIwDdGTY8tuRi06EL6WTDyKsbvB2p uFq4rNSsmGCGQwDfbtplsGFDNLhaQl27JbGZFv1B7yqBqUAxMDKxUA== =lDBg -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/10/2012 11:25 PM, Robert J. Hansen wrote: Please consider using clear signatures instead of conventional signatures. My apologies: you're sending it with Base64 encoding instead of as text/plain. With that correction my comment still applies: it's much harder for those viewing the list archives to make sense of. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
