Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/06/12 15:36, Sam Smith wrote: > > Mr. Koch, can you (or anyone else) recommend a book that is good for novices > like myself that covers GPG public keys and can help me learn how to verify > identity based on the chain of trust (self-signatures and other signatures as > you said in your email ) and covers other aspects of how GPG works with > regards to the PGP model? > > > >> From: w...@gnupg.org >> To: smick...@hotmail.com >> CC: da...@gbenet.com; gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> Date: Sat, 9 Jun 2012 10:19:37 +0200 >> >> On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said: >> >>> Another thing is that downloading the key from that link you provided >>> is no guarantee of safety in and of itself either because the page is >>> not being hosted over SSL with confirmed identity information. So >> >> That is not relevant. The key (correct OpenPGP term is �keyblock� but >> sometimes also called �certificate�) is in itself secure; the included >> self-signature and signatures from other people shall be used to >> evaluate the identity of the key owner. >> >> >> Shalom-Salam, >> >>Werner >> >> -- >> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. >> > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Hello Sam, I am constantly adding books to my web site - take a look at my web site - see link below. David - -- https://linuxcounter.net/user/512854.html - http://gbenet.com/blog - cryptology - for books how-to's - mailing lists and more -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP1lwcAAoJEOJpqm7flRExMpIIAKl0XejEx4i9TvMEMHnm/pA4 Tara9UeIFagIgRIMXc9eLd8qYk1ylogF5SYdEklGAlT4RaCABxyLMM3HbnNCJv+R +UDoFOkNgqmmBXNWbWQE+zO2Z1E9pAhmVLc1oSp2x0JsgC8KAQr8V5Vz6zRhxmd+ NPfrmRAeRqZg1Z6GvfFMEFeds6JyR7QapbRTNrNZqzl6uC17SyABNHfafuYuTflp f+9RJEsfMZ+F1PNZSLf7dcDLSgMtdfa2hi3eOCZEJXNMdPJ49mXg0Nco2Y5BdTOB YOrDbvAMApJ/tBdl+cCqoI7V0eVwU8/ZGluY6hboOtkyHxMxJEDTpEcg2i/veLs= =ph8b -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10.06.2012 21:17, Werner Koch wrote: > On Sun, 10 Jun 2012 16:03, smick...@hotmail.com said: >> I wasn't going to say anything, but I had no idea what Mr. Koch >> was talking about with that "finger" stuff. I studied his email >> and the email header looking for clues. Couldn't decipher what he >> meant. > > I am sorry about this. Most of the time I am in hacker mode and > thus assume that everyone reading this list is a grey haired or > bearded Unix old-timer. Those for sure now what finger is (i.e. a > quick check whether someone is online and what his plans and > projects are). 16, Linux user since 2008 :) > But you are right: This is a _user_ mailing list and thus I would > do a better jobs by briefly explaining such stuff. > > > Salam-Shalom, > > Werner > - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP1hNXAAoJEE21PP6CpGcoDX0QAKPL6xfmSjWmRRj7Wfs3xu9A SsOOJV2aFHVCgAPWPz6gAsHDjfXxZENlcbWlhO8uHtFgOGZuaucwrN2FJfkZk/FH TRWDFOcXZIrZH7i2kkwIbkM6f0y3r53CBT1tBSc9q2TmFqdHppwOofDRo5HrWzrT MmxXbPJYCh4yTzky66sP0Q3DSrzqfA8v+xibMJlIvFrL0zSEgEc86fIjvaW4VDfZ lx2SMoLHYkiPxy2z2cHZWKZOtiBBB0NoEY6TmXlzQNZyQ264mCCA2IipaNp3wDqb IUiiPugHPw3Bq5cTagtQUk+rL+0WnDBT16q0UMmykVXrI3YBNeeObi9wu4RKwK1Y tk7TCbIuazfp7jqDty7RJ4/Z8ScTRwB8OttjFRkyrEMcx8AFFWzOjrMV+0qMwbgK P3jPeilMPE3bTvVk9gAIQyfjw5c+EQgmBbM8j07qNH2hsGzwqdkCGuFL26yXlApR to7Y1MFdTJA39q98h1d8YrkeycHr8pIVZc/i8AdHtkJqmVaFeiI/6o0nubWuxJ6k I2G2uCloj4kEPcx7URegAwJvtsa5393PMo6bL+7lqRUscP1iAPtgPxZHBvXpkkci +A9lQs8WtZDJZ73YOzv2iV2aHtJ19rOAq3R6ZqttxqARwVRYcXt9/RZcp7K+Gd92 ywCqAGPCaFLtFpKmHTOr =GexE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10.06.2012 17:36, Sam Smith wrote: > Mr. Koch, can you (or anyone else) recommend a book that is good > for novices like myself that covers GPG public keys and can help me > learn how to verify identity based on the chain of trust > (self-signatures and other signatures as you said in your email ) > and covers other aspects of how GPG works with regards to the PGP > model? I cannot recommend a book, but I can link to this Wikipedia article, https://en.wikipedia.org/wiki/Web_of_trust . - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP1g93AAoJEE21PP6CpGco2wEP/1mFG4dW1/pFqYcWKBNltKL3 d3mSVB3KvuCnK/RRMgGCcdnexKGHuTQGrOzmAjCMJmwt2Uhx3MAekSC2pCh7/gJ8 5205KSYBvsM8RVe5/BcwWog4DA2bdBk79wuttXBv3gcwfNOGWuUUayiIGXTtlamo hFf/0JLgoJyv/Y1NIWF/gbolwK9XBLI7Sjy1EMWkRSDTde1ZWxciNCaG8nZlQ69R NM2sm67ePtoD6i6/KQ4lYsxREnSr92WqQzG2Oxmz8Rimsu5QlDQRnFfB3ISwDIVD 0w1BXJtb6bb6AjROTdk8VH7Y4AvLe9aZM8AIoGVcg3jZr3SWtC/hT5QtLI8w9P/q Jd9CrNiXMAiBTYyXC0ULjAr+ubHnGNFS4w7FHlKfXWzGoNDKeEroOtGSYv4XsSTx rnqN28wedrcy3A+eg2hA/js++tj/YJsoBtwJJz//KnGljjN7TO9GBRG2lJsmGExT 5kNOfhHJrCHzOUBj4hpx5XJjlgqUngGZPVzqjV8cE1vao0AeHGR94e5HANMBxOAW E2ZqOKPNdC2Cs0108mSY2RbAKNWinz2+2IdJY9TWM9YFuHgkOURjBnJyPaQapYDj AAtgF5VOtQzVFNBsJXAXZ8g6XIclrx42sQiRanQ1Xjlz3AqhKr5UmRsAdfj9Yuub O3+jtEDKUdjeZKk9iYVr =gw1m -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
David, please trim your quotes! Thanks, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 10/06/2012 15:03, Sam Smith wrote: > I wasn't going to say anything, but I had no idea what Mr. Koch was > talking about with that "finger" stuff. I studied his email and the > email header looking for clues. Couldn't decipher what he meant. > >> Date: Sat, 9 Jun 2012 10:28:04 +0100 >> From: markr-gn...@signal100.com >> To: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> >> On 07/06/2012 11:27, Werner Koch wrote: >> > On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: >> > >> > If you look at my OpenPGP mail header you will be pointed to a “finger” >> > address - enter it into your web browser (in case you don't know what >> > finger is) and you will see >> >> Just as an aside, I presume you are referring to this header line: >> >> OpenPGP: id=1E42B367; url=finger:w...@g10code.com >> >> Do you know of any common modern browsers that have finger protocol >> support built in? I wonder, how many people even have a finger client >> installed (that their browser would be able to find)? Finger protocol: http://en.wikipedia.org/wiki/Finger_protocol I think that Finger protocol support was removed from Firefox in V4 (or even before). Not sure when it was removed from IE (or if it was ever there). To my great surprise, Windows has a native command line finger client (still there in W7). -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
da...@gbenet.com wrote: > Hello Sam, > > Most people are normal users of pgp - I suspect there are few secret > government agents - not that they are likely to say so :) > though some believe them to be everywhere. Secret agents may or may not be here. Actual operatives one doesn't know if they're here. It's often said the best way to hide is in plain sight. I can think of a high-level InfoSec official for a branch of the CIA, a former employee of the NSA, and a few folks paid by agencies of, or directly by their gov't to write crypto software. Those folks ain't hiding at all. Poke about on [Cryptography] and [IETF-OpenPGP] you may even find a few more :-) Just because you don't see a nsa.gov or fbi.gov return address, or the English or German equivalents, doesn't mean they're not here. Most are regular folks and like the rest of us, have an interest in crypto and its uses. Sometimes this interest meshes with their "day job", other times it's orthogonal. You don't see them, but they're here and on the other crypto lists. ;-) -John -- John P. Clizbe Inet: John (a) Gingerbear DAWT net John (@) Enigmail DAWT netor: John (@) Keyservers DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Cowboy Haiku -- Reflections on Rodeo So many Cowboys/Round Wrangler butts drive me nuts/Never enough rope ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/10/2012 11:25 PM, Robert J. Hansen wrote: > Please consider using clear signatures instead of conventional > signatures. My apologies: you're sending it with Base64 encoding instead of as text/plain. With that correction my comment still applies: it's much harder for those viewing the list archives to make sense of. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David -- Please consider using clear signatures instead of conventional signatures. If someone looks in the list archives they'll see a huge opaque blob of text they can't read. Likewise if someone tries to read your email on a system that doesn't have GnuPG installed. Secondly, your message was 253 lines of quoted text and 14 of your own text. This means that 94% of the message was quoted. This is a little outré. I'd appreciate it a great deal if you'd trim your quotes. You are certainly free to ignore me on those two counts, but I hope you'll do me the favor of considering them. Thank you. :) That said -- > I suspect there are few secret government agents - not that they > are likely to say so :) though some believe them to be everywhere. At least one person who has posted to this list is publicly affiliated with intelligence services, yes -- it's right there in his official bio. That said, there's a *huge* difference between "normal guy who happens to be associated with the government is on this list" and "the kind of stuff the conspiracy theorists believe is happening, is actually happening." (I will not say who this person is. I once received a death threat from someone on this list who was convinced I was an FBI plant, threatened my life, declared me to be Satanic, and went so far as to look up my home address and phone number from WHOIS data in order to make the threat more credible. Given people like that exist, I feel being circumspect about this person's identity is the only responsible thing to do.) -BEGIN PGP SIGNATURE- iFYEAREIAAYFAk/VZT8ACgkQI4Br5da5jhBsIwDdGTY8tuRi06EL6WTDyKsbvB2p uFq4rNSsmGCGQwDfbtplsGFDNLhaQl27JbGZFv1B7yqBqUAxMDKxUA== =lDBg -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/06/12 14:59, Sam Smith wrote: > > Okay. So please let me know if I understand correctly what I am supposed to > do (or what you guys are recommending be done) with key signing: > > I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that > signed the program. I download that KeyID from a keyserver. I now ask people > on this list to verify the fingerprint of the key I got from the keyserver as > a legit key. (So far this behavior is okay, right)? Since people on this list > verified the fingerprint, I have enough confidence to verify the GnuPG > program with the key. BUT I do not have enough confidence to mark the key > (the one I got from the keyserver) as Trusted or to Sign the key because I > have not met with Werner Koch in person and seen credentials. > > Summation of Proper Key Signing Behavior: > > 1.) I should NOT sign a key as trusted unless I have actually met with the > person and seen his/her credentials. I can sign if I KNOW the person and > verify the fingerprint with that person. But even these situations run the > risk of dealing with a "secret agent." > > Applying this rule, since I have not met Werner Koch, I should not sign his > key. Verifying the fingerprint on a downloaded key is enough to use the key > to verify software, but it's not enough to actually trust and sign the key. > Hence using it to verify runs some risk because the key is not totally > trustworthy. > > Every time I use Werner Koch's key to verify a GnuPG program, I will get the > warning that I am verifying with an untrusted key. You guys all get this > warning because all of you are also not signing keys (even if you've verified > the fingerprint with others) because you have not met with all the people > needed in order to sign all the keys you have. Right? You guys all get this > warning whenever you "gpg --verify", right? > > In short, I should always be seeing the notice that I have verified using an > untrusted key when using Werner Koch's key unless/until I actually meet him > and see credentials. The only time you guys don't see this notice when > verifying a key is when you use a key that you have actually met the signer > of face to face, right? > > > Do I understand correctly. Is this all accurate? With this behavior, would I > be doing Best Practices and what you guys all do? > > > Thanks for the instruction, guys. I appreciate the time and energy you guys > spent writing the emails to me. means a lot to me. > > >> Date: Sat, 9 Jun 2012 06:09:54 +0100 >> From: da...@gbenet.com >> To: smick...@hotmail.com >> CC: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> > On 08/06/12 22:41, Sam Smith wrote: >>>> >>>> Another thing is that downloading the key from that link you provided is >>>> no guarantee of safety in and of itself either because the page is not >>>> being hosted over SSL with confirmed identity information. So technically >>>> there's no guarantee I'm actually interacting with teh GnuPG.org website. >>>> >>>> >>>> >>>>> Date: Thu, 7 Jun 2012 05:23:43 +0100 >>>>> From: da...@gbenet.com >>>>> To: gnupg-users@gnupg.org >>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >>>>> >>>> On 07/06/12 00:15, Sam Smith wrote: >>>>>>> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm >>>>>>> trying to guard against. >>>>>>> >>>>>>> My efforts to verify the fingerprint are the best way to do this, >>>>>>> correct? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Date: Wed, 6 Jun 2012 21:54:01 +0200 >>>>>>>> From: pe...@digitalbrains.com >>>>>>>> To: gnupg-users@gnupg.org >>>>>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >>>>>>>> >>>>>>>> On 06/06/12 17:58, Mika Suomalainen wrote: >>>>>>>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>>>>>>>> Looks correct. >>>>>>>>> >>>>>>>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: >>>>>>>>> requesting key 4F25E3B6 from hkp server pool.sks-keyserv
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/10/2012 10:36 AM, Sam Smith wrote: > Mr. Koch, can you (or anyone else) recommend a book... Michael W. Lucas, "PGP & GPG: Email for the Practical Paranoid," No Starch Press, 2006. http://www.powells.com/biblio/62-9781593270711-0 http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712 Use whichever link you prefer: I use Amazon, but I know some people vastly prefer Powell's. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sun, 10 Jun 2012 16:36, smick...@hotmail.com said: > Mr. Koch, can you (or anyone else) recommend a book that is good for > novices like myself that covers GPG public keys and can help me learn > how to verify identity based on the chain of trust (self-signatures > and other signatures as you said in your email ) and covers other > aspects of how GPG works with regards to the PGP model? You may want to read the Gpg4win compendium: http://gpg4win.org/documentation.html It is marked as a beta version but there are no severe flaws in it. There are also a couple of HOWTO documents under http://gnupg.org . In a book store you should also find books on PGP. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sun, 10 Jun 2012 16:03, smick...@hotmail.com said: > I wasn't going to say anything, but I had no idea what Mr. Koch was > talking about with that "finger" stuff. I studied his email and the > email header looking for clues. Couldn't decipher what he meant. I am sorry about this. Most of the time I am in hacker mode and thus assume that everyone reading this list is a grey haired or bearded Unix old-timer. Those for sure now what finger is (i.e. a quick check whether someone is online and what his plans and projects are). But you are right: This is a _user_ mailing list and thus I would do a better jobs by briefly explaining such stuff. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Mr. Koch, can you (or anyone else) recommend a book that is good for novices like myself that covers GPG public keys and can help me learn how to verify identity based on the chain of trust (self-signatures and other signatures as you said in your email ) and covers other aspects of how GPG works with regards to the PGP model? > From: w...@gnupg.org > To: smick...@hotmail.com > CC: da...@gbenet.com; gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > Date: Sat, 9 Jun 2012 10:19:37 +0200 > > On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said: > > > Another thing is that downloading the key from that link you provided > > is no guarantee of safety in and of itself either because the page is > > not being hosted over SSL with confirmed identity information. So > > That is not relevant. The key (correct OpenPGP term is “keyblock” but > sometimes also called “certificate”) is in itself secure; the included > self-signature and signatures from other people shall be used to > evaluate the identity of the key owner. > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
I have to agree with Peter. I mean, everyone has to trust someone/something at some point. I mean you trust Windows OS or your Linux Distro that it is not doing bad things. It is calling up all these APIs etc. Have your verified everything your OS does? Have your verified every signing key used by your Distro or Windows certificate? At some point you have to trust the integrity of something. And this trust is never going to be perfect. There should be caution and if you want assurance you should check sources. This was what I was trying to do by asking this list. I asked this list after I had already looked other places to verify the fingerprint. If absolute trust was sought for everything, nobody would ever be able to do anything because so few things would be trusted enough to move forward on anything. > Date: Sat, 9 Jun 2012 17:05:05 +0200 > From: pe...@digitalbrains.com > To: r...@sixdemonbag.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > CC: gnupg-users@gnupg.org > > On 09/06/12 15:44, Robert J. Hansen wrote: > > I'm not weighing in on what the mechanism should be: I don't get to declare > > what anyone else's policy should be. > > I was under the impression you did. I interpreted your mail and particularly > the > statement > > > but this either is or isn't a proper verification, and there's no > > in-between. > > as meaning that there is only one correct way to do a proper verification. > From > your reply, I understand now you did not mean it like that. I was already > quite > puzzled about my interpretation because it didn't sound like you :). > > >> It doesn't really matter how many Werner Kochs there are. > > > > Sure it does. As an absurdist thought experiment, let's think of a nation > > -- > > call it Kochistan. In Kochistan, everyone is required to have the name > > Werner Koch. Most people in Kochistan are honest. If you ask them if > > they're *the* Werner Koch, they'll tell you no, they're not. > > Funnily, we're saying the same thing. You yourself said you don't particularly > care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or > ... Then why are you interested in the number of Werner Kochs? > > The thing I'm interested in: is the source of GnuPG I downloaded actually the > program we know and love. I'm at this point not interested in the fact that > Werner Koch is a main developer of it, or what his proper name is. For all I > know his birthname indeed is Horace. He might as well have given the UID > "GnuPG > dist sig" to the key, instead of "Werner Koch (dist sig)". The only reason we > are talking about "the" Werner Koch is that his name is in the UID, which > might > as easily not have been. As I said, the number of Werner Kochs is > insubstantial. > > > I don't trust crowdsourcing to verify GnuPG. If someone or some group > > subverts that system my exposure might be much greater and I might not learn > > about it for quite some time. > > So how did you verify your GnuPG source? If you say "I asked a close friend", > my > counterquestion is: How did he/she? What I want to know is: what bootstrapped > the confidence that the key was the proper GnuPG dist sig? > > Personally, I did it by checking from a number of locations that the key > making > the signature is the same from wherever I try. Also, I spread the checks over > a > substantial period of time. If the website got hacked, I hoped it would come > out > in that period of time. It did not at any point include the quantity of Werner > Kochs. > > Now, if I wanted more satisfaction, I would indeed turn to this mailing list, > ask members whether they see the same fingerprint, and check the replies from > several locations to see that from wherever I check, the replies are > identical. > > Again add a little time to allow for members to write to the mailing list > "Hey I > did not write that reply!" in case of impersonation. Hopefully at least one > person would notice and expose the deception. > > And I do not see this process as, to quote you, "certifiably crazy" at all. It > would perhaps be if I only checked it from the same computer as where I > downloaded the source and signature and keyblock, but nowhere is it stated > this > is the case. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
I wasn't going to say anything, but I had no idea what Mr. Koch was talking about with that "finger" stuff. I studied his email and the email header looking for clues. Couldn't decipher what he meant. > Date: Sat, 9 Jun 2012 10:28:04 +0100 > From: markr-gn...@signal100.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > On 07/06/2012 11:27, Werner Koch wrote: > > On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: > > > > If you look at my OpenPGP mail header you will be pointed to a “finger” > > address - enter it into your web browser (in case you don't know what > > finger is) and you will see > > Just as an aside, I presume you are referring to this header line: > > OpenPGP: id=1E42B367; url=finger:w...@g10code.com > > Do you know of any common modern browsers that have finger protocol > support built in? I wonder, how many people even have a finger client > installed (that their browser would be able to find)? > > > -- > MarkR > > PGP public key: http://www.signal100.com/markr/pgp > Key ID: C9C5C162 > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Okay. So please let me know if I understand correctly what I am supposed to do (or what you guys are recommending be done) with key signing: I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that signed the program. I download that KeyID from a keyserver. I now ask people on this list to verify the fingerprint of the key I got from the keyserver as a legit key. (So far this behavior is okay, right)? Since people on this list verified the fingerprint, I have enough confidence to verify the GnuPG program with the key. BUT I do not have enough confidence to mark the key (the one I got from the keyserver) as Trusted or to Sign the key because I have not met with Werner Koch in person and seen credentials. Summation of Proper Key Signing Behavior: 1.) I should NOT sign a key as trusted unless I have actually met with the person and seen his/her credentials. I can sign if I KNOW the person and verify the fingerprint with that person. But even these situations run the risk of dealing with a "secret agent." Applying this rule, since I have not met Werner Koch, I should not sign his key. Verifying the fingerprint on a downloaded key is enough to use the key to verify software, but it's not enough to actually trust and sign the key. Hence using it to verify runs some risk because the key is not totally trustworthy. Every time I use Werner Koch's key to verify a GnuPG program, I will get the warning that I am verifying with an untrusted key. You guys all get this warning because all of you are also not signing keys (even if you've verified the fingerprint with others) because you have not met with all the people needed in order to sign all the keys you have. Right? You guys all get this warning whenever you "gpg --verify", right? In short, I should always be seeing the notice that I have verified using an untrusted key when using Werner Koch's key unless/until I actually meet him and see credentials. The only time you guys don't see this notice when verifying a key is when you use a key that you have actually met the signer of face to face, right? Do I understand correctly. Is this all accurate? With this behavior, would I be doing Best Practices and what you guys all do? Thanks for the instruction, guys. I appreciate the time and energy you guys spent writing the emails to me. means a lot to me. > Date: Sat, 9 Jun 2012 06:09:54 +0100 > From: da...@gbenet.com > To: smick...@hotmail.com > CC: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/06/12 22:41, Sam Smith wrote: > > > > Another thing is that downloading the key from that link you provided is no > > guarantee of safety in and of itself either because the page is not being > > hosted over SSL with confirmed identity information. So technically there's > > no guarantee I'm actually interacting with teh GnuPG.org website. > > > > > > > >> Date: Thu, 7 Jun 2012 05:23:43 +0100 > >> From: da...@gbenet.com > >> To: gnupg-users@gnupg.org > >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > >> > > On 07/06/12 00:15, Sam Smith wrote: > >>>> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm > >>>> trying to guard against. > >>>> > >>>> My efforts to verify the fingerprint are the best way to do this, > >>>> correct? > >>>> > >>>> > >>>> > >>>> > >>>>> Date: Wed, 6 Jun 2012 21:54:01 +0200 > >>>>> From: pe...@digitalbrains.com > >>>>> To: gnupg-users@gnupg.org > >>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > >>>>> > >>>>> On 06/06/12 17:58, Mika Suomalainen wrote: > >>>>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > >>>>>> Looks correct. > >>>>>> > >>>>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > >>>>>> requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: > >>>>>> key > >>>>>> 4F25E3B6: public key "Werner Koch (dist sig)" imported > >>>>> > >>>>> I agree it appears he has the correct key. I did a local sig on it > >>>>> after what > >>>>> checking I seemed to be able to do without meeting people in person. > >>>>> > >>>>> But it's a bit unclear to me on what basis you decided it looked &g
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, 9 Jun 2012 11:28, markr-gn...@signal100.com said: > Do you know of any common modern browsers that have finger protocol > support built in? I wonder, how many people even have a finger client Indeed they must have dropped finger recently. I don't known when I checked the last time, but back then Mozilla supported it. It is a bit stupid that they dropped the simplest protocol ever used on the net but keep on supporting the broken stuff (e.g. SSLv2, MD5). Anyway: "gpg --fetch-keys" still supports finger. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 22:55, Robert J. Hansen wrote: > I apologize for not understanding sooner There's no need for that :) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/9/2012 4:14 PM, Peter Lebbing wrote: > Where the question is going is rather simple: what would you > recommend Joe Average User to do to verify the authenticity of the > GnuPG source he downloaded, not questioning his desire to build from > that source. Ah, I see. I apologize for not understanding sooner: I thought you were trying to illustrate a point. I'm generally not comfortable giving advice about what people should do. I'm comfortable making factual statements, presenting options, talking about my own practices or giving perspectives, but I really want to avoid the recommending-what-people-should-do route. I'm not comfortable with that, not unless I'm billing by the hour and have a liability waiver signed in blood. :) That said, I have found it useful as a general principle to avoid introducing new points of fiat validity. When possible, new sources should be certified through existing validated certificates. Considering my points of fiat validity and minimizing their number has always served me well. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 20:47, Robert J. Hansen wrote: > On 06/09/2012 11:57 AM, Peter Lebbing wrote: >> Suppose you would want to build from the vanilla source downloaded from >> gnupg.org and signed by "Werner Koch (dist sig)", how would you verify >> authenticity of that key? > > I don't understand where this question is going. I would find some > trusted path, obviously. If I contact the maintainer and am told, "I > download packages and check they are signed with this fingerprint ID," > well, then I'm already transitively validating-by-fiat that fingerprint > ID. Where the question is going is rather simple: what would you recommend Joe Average User to do to verify the authenticity of the GnuPG source he downloaded, not questioning his desire to build from that source. Contacting the package maintainer of your Linux distribution seems a good method. You could ask them to sign the dist sig instead, and publish it on the keyserver. Then anybody who trusts the distribution will be able to infer trust for the dist sig. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 20:05, michael crane wrote: > I'm using dreamhost. I appreciated that it seems quite handy to have all > that random characters stuff outside of the message body and I was > pointing out that it it is not universally accepted to have daemon thingys > like finger running so limiting the take up. To get the public key through finger, you don't need to have a finger daemon running, you only need the finger client. Werner is the one having the finger daemon running. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 11:57 AM, Peter Lebbing wrote: > Suppose you would want to build from the vanilla source downloaded from > gnupg.org and signed by "Werner Koch (dist sig)", how would you verify > authenticity of that key? I don't understand where this question is going. I would find some trusted path, obviously. If I contact the maintainer and am told, "I download packages and check they are signed with this fingerprint ID," well, then I'm already transitively validating-by-fiat that fingerprint ID. If instead I'm told, "I've personally met the GnuPG release authority (i.e., Werner) and have signed that certificate," then the release certificate is validated because it is certified by a trusted introducer. If I'm told "beats me, Elvis comes to me in a séance and gives me all my answers," then I would have to find some other means. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, June 9, 2012 2:29 pm, Mark Rousell wrote: >> What types of processes are forbidden by DreamHost? >> [deletia] > > Err.. sorry, not following you. :-) Who is using Dreamhost and what has > it got to do with the finger protocol? Werner doesn't seem to be using > Dreamhost for what it's worth. I'm using dreamhost. I appreciated that it seems quite handy to have all that random characters stuff outside of the message body and I was pointing out that it it is not universally accepted to have daemon thingys like finger running so limiting the take up. cheers mick -- keyID: 0x4BFEBB31 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 17:17, Robert J. Hansen wrote: > My bootstrap is "I trust my Linux distribution." My distro is a trusted > software provider, in the traditional security sense of a "trusted > provider". If I receive software from an official Fedora repo and it is > signed by the repo release team, that's good enough for me. Suppose you would want to build from the vanilla source downloaded from gnupg.org and signed by "Werner Koch (dist sig)", how would you verify authenticity of that key? I also just trust the Debian repo for my software. Unfortunately, the problem is just transferred to the signature on the ISO I download to install Debian on a new system. I do the same: download the sig from various places and compare the issuer. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 11:05 AM, Peter Lebbing wrote: > your reply, I understand now you did not mean it like that. I was > already quite puzzled about my interpretation because it didn't sound > like you :). Thank you for giving me the benefit of the doubt. :) > Funnily, we're saying the same thing. You yourself said you don't > particularly care if Werner Koch is actually called Horace > Micklethorpe or Harry Palmer or ... Then why are you interested in > the number of Werner Kochs? I'm not interested in the number of Werner Kochs. I'm interested in the difference between *the* entity and *an* entity. The entity that signs these releases happens to be Werner. But there are many entities named Werner, so how do we know we have the certificate belonging to the correct entity? It's an identification problem. Werner's only relevance to it _qua_ himself is that we acknowledge him as the definitive authenticator of the code: "yes, that is the code I wrote." If we're going to rely on a definitive authenticator, shouldn't we ensure we're actually talking to the actual authenticating entity? :) > So how did you verify your GnuPG source? If you say "I asked a close > friend", my counterquestion is: How did he/she? What I want to know > is: what bootstrapped the confidence that the key was the proper > GnuPG dist sig? My bootstrap is "I trust my Linux distribution." My distro is a trusted software provider, in the traditional security sense of a "trusted provider". If I receive software from an official Fedora repo and it is signed by the repo release team, that's good enough for me. How did I come to trust that I have the correct certificate for the repo release team? Because it came on the DVD, which is my trusted bootstrap. I fully acknowledge this is validation by fiat. Some people will think it's a perfectly reasonable way of doing things. Others will think I'm crazy. It's up to the individual to decide. :) > And I do not see this process as, to quote you, "certifiably crazy" > at all. And as I said, apparently you and I have completely different opinions on whether crowdsourcing should be trusted for these matters. And, you know, that's okay. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 15:44, Robert J. Hansen wrote: > I'm not weighing in on what the mechanism should be: I don't get to declare > what anyone else's policy should be. I was under the impression you did. I interpreted your mail and particularly the statement > but this either is or isn't a proper verification, and there's no > in-between. as meaning that there is only one correct way to do a proper verification. From your reply, I understand now you did not mean it like that. I was already quite puzzled about my interpretation because it didn't sound like you :). >> It doesn't really matter how many Werner Kochs there are. > > Sure it does. As an absurdist thought experiment, let's think of a nation -- > call it Kochistan. In Kochistan, everyone is required to have the name > Werner Koch. Most people in Kochistan are honest. If you ask them if > they're *the* Werner Koch, they'll tell you no, they're not. Funnily, we're saying the same thing. You yourself said you don't particularly care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or ... Then why are you interested in the number of Werner Kochs? The thing I'm interested in: is the source of GnuPG I downloaded actually the program we know and love. I'm at this point not interested in the fact that Werner Koch is a main developer of it, or what his proper name is. For all I know his birthname indeed is Horace. He might as well have given the UID "GnuPG dist sig" to the key, instead of "Werner Koch (dist sig)". The only reason we are talking about "the" Werner Koch is that his name is in the UID, which might as easily not have been. As I said, the number of Werner Kochs is insubstantial. > I don't trust crowdsourcing to verify GnuPG. If someone or some group > subverts that system my exposure might be much greater and I might not learn > about it for quite some time. So how did you verify your GnuPG source? If you say "I asked a close friend", my counterquestion is: How did he/she? What I want to know is: what bootstrapped the confidence that the key was the proper GnuPG dist sig? Personally, I did it by checking from a number of locations that the key making the signature is the same from wherever I try. Also, I spread the checks over a substantial period of time. If the website got hacked, I hoped it would come out in that period of time. It did not at any point include the quantity of Werner Kochs. Now, if I wanted more satisfaction, I would indeed turn to this mailing list, ask members whether they see the same fingerprint, and check the replies from several locations to see that from wherever I check, the replies are identical. Again add a little time to allow for members to write to the mailing list "Hey I did not write that reply!" in case of impersonation. Hopefully at least one person would notice and expose the deception. And I do not see this process as, to quote you, "certifiably crazy" at all. It would perhaps be if I only checked it from the same computer as where I downloaded the source and signature and keyblock, but nowhere is it stated this is the case. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 09:44 AM, Robert J. Hansen wrote: >> It doesn't really matter how many Werner Kochs there are. > > Sure it does. As an absurdist thought experiment... An anecdote might work better than an absurdist thought experiment, come to think of it... = In the United States, the collegiate basketball championships are the occasion for a lot of betting. People stake wagers on which teams will make the semifinals (the "Sweet Sixteen") and the playoffs (the "Final Four"). As you might expect, a lot of people try to get some kind of inside information -- they might have a cousin who plays for one team and their cousin says the University of Nevada at Las Vegas is the one to look out for or something. Whenever you've got gamblers you'll have people who try to get inside information or expert advice. The University of Iowa's color-commentator for their basketball games is a great guy -- I met him a couple of times, once when he was playing ball for UI and a couple of times when I was a grad student at UI. He's also a legend in professional basketball, having replaced Michael Jordan in the 1992 NBA Finals while the Bulls were down by 15 and rallying them to a 97-93 win. Anyone who can not only replace Michael Jordan in a game, but replace him *and* rally the score, is a deservedly legendary figure. We have the same name, we're both University of Iowa graduates, and we both have a lot of family in Des Moines. We both answer to "Bob Hansen". (I prefer "Rob," but I'll answer to "Bob" or "Robert".) Even our middle initials are similar: he's Robert L. Hansen and I'm Robert J. Hansen. It doesn't take a bad case of dyslexia to get those initials reversed. So during Final Four season when people look around for the Bob Hansen who attended the University of Iowa... well, sometimes they get me. "Are you Bob Hansen?" Yes, I am. "Did you attend the University of Iowa?" Yep! "Are you *that* Bob Hansen who attended the University of Iowa? Bob Hansen from Des Moines?" Well, I'm not actually from Des Moines, no, but yes, I have a lot of family there. "OH MY GOD I CAN'T BELIEVE I FOUND YOU. Quick! Who are your Final Four picks? And are you still tight with Magic Johnson and Michael Jordan?" Verification is a hard problem. Even when dealing with someone who is giving *completely honest answers*, it's still easy to confuse *a* Bob Hansen for *the* Bob Hansen. And when it comes to getting good Final Four picks, you really want *the* Bob Hansen, and not me. I've seen a total of two basketball games in my life. Likewise, you want *the* Werner Koch, not *a* Werner Koch. When it comes to getting a correct copy of GnuPG, you really want his certificate and not some other Werner Koch's! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 07:21 AM, Peter Lebbing wrote: > So how /do/ you verify that you have the distribution key for GnuPG? By fiat. You go through some mechanism and at the completion declare, "I am satisfied that the likelihood of this *not* being the correct distribution key is quite low." I'm not weighing in on what the mechanism should be: I don't get to declare what anyone else's policy should be. > It doesn't really matter how many Werner Kochs there are. Sure it does. As an absurdist thought experiment, let's think of a nation -- call it Kochistan. In Kochistan, everyone is required to have the name Werner Koch. Most people in Kochistan are honest. If you ask them if they're *the* Werner Koch, they'll tell you no, they're not. Some people in Kochistan are dishonest. If you ask them if they're *the* Werner Koch they will quickly tell you yes, create a certificate with the same UID on it as the one which signs GnuPG releases, and give you the fingerprint for *that* certificate. This Werner Koch will then call his cousin (also named Werner Koch) who runs an organized crime outfit, and will tell him that if he can Trojan a copy of GnuPG that you'll be happy to install it because you're under the impression that he (Werner-who-is-not-our-Werner) is him (Werner-who-is-our-Werner). There's a big difference between being *the* person and being *a* person. :) > Crowdsourcing the knowledge seems viable, if you make sure the > messages from the crowd are not altered by your attacker. I'll trust crowdsourcing to find me good restaurants in my neighborhood. If someone (or some group) subverts that system then I'm out a few bucks for a meal that doesn't taste very good and I know not to trust that restaurant review website again. And I learn about this really quickly, too -- all it takes is one or two bad meals and I've moved on to find a better source for restaurant reviews. I don't trust crowdsourcing to verify GnuPG. If someone or some group subverts that system my exposure might be much greater and I might not learn about it for quite some time. > And it's always a costs/benefits decision. How sure do you want to be > that you have the unmodified sources? So I don't agree that it is as > binary as "this is or isn't a proper verification". Well -- not to be rude, but you did. As you said, "at some point you'll have to satisfy yourself that you have the correct key." The process you use to satisfy yourself will by definition satisfy yourself: that makes it a proper verification. But if you satisfy it by a process that other people consider insufficient or deeply unhinged (in the case of the séance with Elvis), they will say that it is *not* sufficient and that makes it an improper verification. Verification is inherently subjective. A verification can simultaneously be sufficient and insufficient -- sufficient for yourself but not others, insufficient for yourself but not others, and so on. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/2012 12:05, michael crane wrote: > > On Sat, June 9, 2012 10:28 am, Mark Rousell wrote: >> On 07/06/2012 11:27, Werner Koch wrote: >>> On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: >>> >>> If you look at my OpenPGP mail header you will be pointed to a “finger” >>> address - enter it into your web browser (in case you don't know what >>> finger is) and you will see >> >> Just as an aside, I presume you are referring to this header line: >> >> OpenPGP: id=1E42B367; url=finger:w...@g10code.com >> >> Do you know of any common modern browsers that have finger protocol >> support built in? I wonder, how many people even have a finger client >> installed (that their browser would be able to find)? > also > > What types of processes are forbidden by DreamHost? > [deletia] Err.. sorry, not following you. :-) Who is using Dreamhost and what has it got to do with the finger protocol? Werner doesn't seem to be using Dreamhost for what it's worth. Anyway, I admit that my comment about the finger protocol is not exactly on-topic but I was just curious about Werner's assumption that the protocol would be meaningful to an arbitrary browser. For example, even though I've got a command line finger client on my system none of my installed browsers know about it. I'd have to manually add a system mapping for the finger: protocol (and even then I'd also have to add a wrapper to open the finger client in a persistent shell so I could see the results). -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Hi! >> Perhaps it would be worthwhile to add a question to the signing >> process: "Have you met this person face-to-face and verified >> his/her identity? (y/N)" If the user answers no, display a warning >> that the user probably wants to lsign, not to sign, and give the >> option of making an lsign instead. > > +1 to this idea. Isn't that what --ask-cert-level is for? cu, Paeniteo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 02:22, Robert J. Hansen wrote: > Some might shake their heads and say no, it's not: you only verified you were > speaking with *a* Werner Koch who had access to *the* Werner Koch's email > address, not that you were speaking to *the* Werner Koch. So how /do/ you verify that you have the distribution key for GnuPG? Let's not lose sight of this specific instance of verification: that you want to know you have the GnuPG source as distributed by its authors, and not some modified version. It doesn't really matter how many Werner Kochs there are. There is always a bootstrapping problem for the trust. So at some point you'll have to satisfy yourself that you have the correct key. Crowdsourcing the knowledge seems viable, if you make sure the messages from the crowd are not altered by your attacker. And it's always a costs/benefits decision. How sure do you want to be that you have the unmodified sources? So I don't agree that it is as binary as "this is or isn't a proper verification". Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote: > On 07/06/2012 11:27, Werner Koch wrote: >> On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: >> >> If you look at my OpenPGP mail header you will be pointed to a finger >> address - enter it into your web browser (in case you don't know what >> finger is) and you will see > > Just as an aside, I presume you are referring to this header line: > > OpenPGP: id=1E42B367; url=finger:w...@g10code.com > > Do you know of any common modern browsers that have finger protocol > support built in? I wonder, how many people even have a finger client > installed (that their browser would be able to find)? also What types of processes are forbidden by DreamHost? IRC-related persistent processes of any kind (including, but not limited to, bots, bouncers, etc.) are STRICTLY PROHIBITED, and are in violation of the Terms of Service. BitTorrent-related processes are not allowed. Streaming Audio or Video servers of any kind are not allowed on shared hosting servers. Voice chat or VoIP servers like Asterisk, Ventrilo and TeamSpeak are not permitted. Game servers (CounterStrike, WoW, BF2, etc.) are also not permitted. Proxy style tunnels such as Tor cannot be run. Alternate services and daemons (Finger, OpenLDAP, memcached, etc.) as well as daemonized version of current services (PHP, httpd, etc.) may not be run. Cron Jobs, Crontabs are allowed provided you don't use excessive system resources. mick -- keyID: 0x4BFEBB31 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Please consider trimming your quotes. The amount that's going on here strikes me as pretty excessive. I'm not standing on a chair and screaming that you're doing it wrong, of course: this is just a friendly request to please trim your quotes. :) > The whole idea behind the web of trust is that you have met "real" > people. Not particularly. The idea behind the Web of Trust is that entities can introduce other entities. Everything above and beyond that is just the projection someone places upon it. > It is a principle of the whole system that you only sign people's > keys. The person comes first - not the key. Not necessarily. For instance, Symantec has a certificate they use to sign PGP releases. That certificate does not belong to a person but to a corporation. *Entities* come first, but an entity is not necessarily a person. Usually it is -- but it's not required to be. > It's not the validity of keys but the validity of people. No, it's definitely the validity of certificates that we're checking. We can agree on how to check the validity of a certificate -- ensure the fingerprint matches the one provided to you by the entity controlling the certificate. We can't agree on how to check the validity of a person, or even what it even means to do this. So instead we handwave it by saying, "prove to your own satisfaction you're talking to the real entity -- whether this means you've known the person for twenty years, you've seen two forms of government ID, or Elvis came to you in a séance and vouched for the person and told you he was a swell guy. That last option is every bit as 'valid' as the other two. How you confirm an entity's identity is your choice, and nobody gets to decide that policy except you. > Most people are bound up with beliefs and behaviours. They interact > with others on a daily basis sharing common values beliefs and > behaviours. Under normal conditions we don't ask every one we meet > for their passport driving license or DNA sequence. We accept it as > the norm that people are real and valid - its the IDs they use which > may or maybe questionable. I don't understand what you're talking about here. In fact, it seems quite self-contradictory. If someone presents themselves as being Horace Micklethorpe, shows me ID in that name, and then I later discover this person's real name is Harry Palmer, I'm going to understandably accuse this person of having been inauthentic with me. > So people on this mailing list "know" that Werner Koch is "real." Few of us do. I harbor some suspicion that Werner's real name is Horace Micklethorpe. He might also be Harry Palmer or Bob Howard. I don't know. I also don't particularly *care*, either: what I care about is what he does, not who he is. > A public key is a static document Certificates change over time as UIDs, UATs, signatures and subkeys are added and revoked. Certificates are highly dynamic documents: many of them gain a signature a week. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/2012 11:27, Werner Koch wrote: > On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: > > If you look at my OpenPGP mail header you will be pointed to a “finger” > address - enter it into your web browser (in case you don't know what > finger is) and you will see Just as an aside, I presume you are referring to this header line: OpenPGP: id=1E42B367; url=finger:w...@g10code.com Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client installed (that their browser would be able to find)? -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said: > Another thing is that downloading the key from that link you provided > is no guarantee of safety in and of itself either because the page is > not being hosted over SSL with confirmed identity information. So That is not relevant. The key (correct OpenPGP term is “keyblock” but sometimes also called “certificate”) is in itself secure; the included self-signature and signatures from other people shall be used to evaluate the identity of the key owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07.06.2012 19:52, Robert J. Hansen wrote: > On 6/7/12 12:32 PM, Werner Koch wrote: >> That is actually a bit funny: I never asked anyone to sign that >> key. Probably they deduced the correctness from my regular key >> which I used to sign the above key. That is not a surprise; I >> have seen many signatures on my keys from people I never met. > > Perhaps it would be worthwhile to add a question to the signing > process: "Have you met this person face-to-face and verified > his/her identity? (y/N)" If the user answers no, display a warning > that the user probably wants to lsign, not to sign, and give the > option of making an lsign instead. +1 to this idea. > It might cut down on certifications such as these... > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0wGXAAoJEE21PP6CpGcoxZQQAKDZ02aQT1wECuXhdKl54wAp O0zQ1XOgur8MpalFV5IUQGJpx9uFLIT5m6+2qsldGOpV1pnM8LPkMf6B9LJfOT9d NgwDhpQQs3KgqWo7s8ZKlNn7Kli95LivwbaTwjfrd/aFQ8etHX7m9ZPS07ALklZA cI5RncyTLJ9SS2XHP5+AXeA15PjvFJKYPUWThF9AtBDaWdTAaETBFvjApeN0vHv8 A+neBFhZaxobHbAilfZbmvV42ZtSXV8ld5+KrIVVaJgczY/kcis+GmZUWFdtHPRL DW72fTVCjnCJ5eUW0/buIDr3nL5Fr0KtkwX9vbVGl1bpS+j9WZviv0P8USW2LoTd aET7cn3ikcqXH7PYjHc7eJjccBcktjFpe9Id3qI2VvT7GGDxtMlrswDSAPbmLcKz 9aJnVjbwUB4blFYPyJrQBZK7Z+yS0dKckLBTNXIktDddbS20Y98ubRwmuNGp8+Kk Ov6kdT7lo4kUt5AuWj80OQDwz/pvcgUka3F+sY4iGPDkhi97LjWmKAr8TVzHIsZ+ inEKXPuL9ti9Kj67JmVfuQC1Ku4ZzknsdGFRd+fOLrTDzkglruIqrFYSa8YBJtsj jaNqjT7jOWRLB2Lk/m+tEMNU6UMFun6gLGA6FdeVMIVHBYbWWkiV9CtsfkZvKXNC YmyP2k9HmHTn3vROoTt3 =KE0X -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/06/12 22:41, Sam Smith wrote: > > Another thing is that downloading the key from that link you provided is no > guarantee of safety in and of itself either because the page is not being > hosted over SSL with confirmed identity information. So technically there's > no guarantee I'm actually interacting with teh GnuPG.org website. > > > >> Date: Thu, 7 Jun 2012 05:23:43 +0100 >> From: da...@gbenet.com >> To: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> > On 07/06/12 00:15, Sam Smith wrote: >>>> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying >>>> to guard against. >>>> >>>> My efforts to verify the fingerprint are the best way to do this, correct? >>>> >>>> >>>> >>>> >>>>> Date: Wed, 6 Jun 2012 21:54:01 +0200 >>>>> From: pe...@digitalbrains.com >>>>> To: gnupg-users@gnupg.org >>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >>>>> >>>>> On 06/06/12 17:58, Mika Suomalainen wrote: >>>>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>>>>> Looks correct. >>>>>> >>>>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: >>>>>> requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key >>>>>> 4F25E3B6: public key "Werner Koch (dist sig)" imported >>>>> >>>>> I agree it appears he has the correct key. I did a local sig on it after >>>>> what >>>>> checking I seemed to be able to do without meeting people in person. >>>>> >>>>> But it's a bit unclear to me on what basis you decided it looked correct? >>>>> Your >>>>> mail suggests to me that you decided that based on the fact that the UID >>>>> on >>>>> that key is "Werner Koch (dist sig)". But that would be the very first >>>>> thing a >>>>> potential attacker would duplicate in his effort to fool our OP. Even if >>>>> he's >>>>> using MITM tricks to subvert his system, he can still post his personally >>>>> generated key to the keyserver with this UID. >>>>> >>>>> Peter. >>>>> >>>>> PS: I briefly considered signing this message, because the attacker might >>>>> MITM >>>>> my message to the OP. Then I realised what good that signature would do >>>>> :). >>>>> >>>>> -- >>>>> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >>>>> You can send me encrypted mail if you want some privacy. >>>>> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >>>>> >>>>> ___ >>>>> Gnupg-users mailing list >>>>> Gnupg-users@gnupg.org >>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>> >>>> >>>> ___ >>>> Gnupg-users mailing list >>>> Gnupg-users@gnupg.org >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Sam, > > You are a little confused - you ask ask "can some one verify the gnupg > fingerprint for > pubkey" and you use Verners key to verify gnupg. Then you worry about > impersonation - now > clearly Verner and gnupg have different keys. Or don't you know that? > > Clearly you failed to follow my link and clearly you failed to check the > public key for > gnupg. Now being a little confused try and get a clear question in your mind > - is it > Verner's key that you have such a passion to verify or gnupg? > > Verner's had about three keys two of which have expired - to the best of my > knowledge he's > a real person - he even maintains this list. You could always try encrypting > an e-mail to > his public key asking him if he's a real person. I'd suggest you not do the > same for the > public key of gnupg. > > People generate a private and a public key imaginary people don't do this - > granted some one > can set up a false ID and create a set of keys - but though they have created > a false ID to > do so they are nevertheless r
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/08/2012 05:37 PM, Sam Smith wrote: > I downloaded the GnuPG program. I then ran --verify and was told that > the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a > key server and then asked people on this mailing list to confirm that I > downloaded a legit key. Several people on this mailing list confirmed > the fingerprint of this key as a legit key. I then marked the key as > trusted because I verified the fingerprint. I hate to give an unclear answer, but this either is or isn't a proper verification, and there's no in-between. Before you go about thinking that's a pointless answer, please: I promise you that it's a completely accurate answer, and understanding why it's accurate will help you understand the nature of verification. The ancient Greeks had a branch of philosophy that was concerned with the nature of knowledge: not just what did we know, but how is it that we knew it, and on what basis did we trust it? This branch was called epistemology, and verification is an epistemological question. All right, you have a certificate and you know it's truly Werner's release signing certificate: but *how do you know it*? The gold standard of such knowledge involves meeting Werner face-to-face, checking his passport, verifying that it's a real passport and not a forgery, receiving his certificate fingerprint directly from him, emailing him at that address to confirm that he truly has access to the address listed, and so forth. If you were to do this many people on this list would nod appreciatively and say that yes, this is a proper verification. Some might shake their heads and say no, it's not: you only verified you were speaking with *a* Werner Koch who had access to *the* Werner Koch's email address, not that you were speaking to *the* Werner Koch. And, you know what? They'd be absolutely right. Ultimately, whether a given verification process rises to the bar of sufficiency is a personal decision. There is no absolute standard. As a result of this, you can only ever rely on being able to satisfy yourself -- there will always be people out there who believe your verification process is insufficient. And that's why your process either is or isn't a proper verification, and why there's no in-between. If you can honestly say that you understand the risks of asking the list, that you've considered those risks and you're comfortable doing things this way, then sign that certificate with a clear conscience and don't let anybody tell you that you're doing it wrong. Me, I think your process is certifiably crazy and I would never, ever do it that way. But you know what? I don't get to control your decisionmaking process and I don't think you should put any stock in my opinion. After all, I'm just a guy on the internet whom you've never met. You have no idea if I'm a bulwark of sanity or if I bark at the moon on a regular basis. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
David, I downloaded the GnuPG program. I then ran --verify and was told that the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a key server and then asked people on this mailing list to confirm that I downloaded a legit key. Several people on this mailing list confirmed the fingerprint of this key as a legit key. I then marked the key as trusted because I verified the fingerprint. I then gpg --verify the gnupg program and got a Good Signature. Of course it would be good to meet Werner and look at his passport and all this nonsense. But that is ridiculous because it's never going to happen. I read the GnuPG manual and what I did is what the manual describes as good practice. What you describe is just nonsense. Yes, it is truly secure and everything but you know completely impractical, so why did you even write it? My question was an honest one and made in good faith about trying to learn and be humble that I don't know everything. But I struggle to find what can be learned from your email. I did follow your link to the posted public key. However I had already downloaded from a keyserver the key that was identified as being the one that signed the gnupg program (0x4F25E3B6). And others verified the fingerprint. So do I still need to download the key that you posted a link to, aren't they the same key Strangely, before I downloaded key 0x4F25E3B6, I searched the website looking for a public key to download but did not find the link that you provided. > Date: Thu, 7 Jun 2012 05:23:43 +0100 > From: da...@gbenet.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/06/12 00:15, Sam Smith wrote: > > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying > > to guard against. > > > > My efforts to verify the fingerprint are the best way to do this, correct? > > > > > > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 > >> From: pe...@digitalbrains.com > >> To: gnupg-users@gnupg.org > >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > >> > >> On 06/06/12 17:58, Mika Suomalainen wrote: > >> >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > >> > Looks correct. > >> > > >> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > >> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > >> > 4F25E3B6: public key "Werner Koch (dist sig)" imported > >> > >> I agree it appears he has the correct key. I did a local sig on it after > >> what > >> checking I seemed to be able to do without meeting people in person. > >> > >> But it's a bit unclear to me on what basis you decided it looked correct? > >> Your > >> mail suggests to me that you decided that based on the fact that the UID on > >> that key is "Werner Koch (dist sig)". But that would be the very first > >> thing a > >> potential attacker would duplicate in his effort to fool our OP. Even if > >> he's > >> using MITM tricks to subvert his system, he can still post his personally > >> generated key to the keyserver with this UID. > >> > >> Peter. > >> > >> PS: I briefly considered signing this message, because the attacker might > >> MITM > >> my message to the OP. Then I realised what good that signature would do :). > >> > >> -- > >> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > >> You can send me encrypted mail if you want some privacy. > >> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > >> > >> ___ > >> Gnupg-users mailing list > >> Gnupg-users@gnupg.org > >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > ___ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Sam, > > You are a little confused - you ask ask "can some one verify the gnupg > fingerprint for > pubkey" and you use Verners key to verify gnupg. Then you worry about > impersonation - now > clearly Verner and gnupg have different keys. Or don't you know that? > > Clearly you failed to follow my link and clearly you failed to check the > public key for > gnupg. Now being a little confused try and get a clear question in your mind >
RE: can someone verify the gnupg Fingerprint for pubkey?
Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So technically there's no guarantee I'm actually interacting with teh GnuPG.org website. > Date: Thu, 7 Jun 2012 05:23:43 +0100 > From: da...@gbenet.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/06/12 00:15, Sam Smith wrote: > > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying > > to guard against. > > > > My efforts to verify the fingerprint are the best way to do this, correct? > > > > > > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 > >> From: pe...@digitalbrains.com > >> To: gnupg-users@gnupg.org > >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > >> > >> On 06/06/12 17:58, Mika Suomalainen wrote: > >> >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > >> > Looks correct. > >> > > >> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > >> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > >> > 4F25E3B6: public key "Werner Koch (dist sig)" imported > >> > >> I agree it appears he has the correct key. I did a local sig on it after > >> what > >> checking I seemed to be able to do without meeting people in person. > >> > >> But it's a bit unclear to me on what basis you decided it looked correct? > >> Your > >> mail suggests to me that you decided that based on the fact that the UID on > >> that key is "Werner Koch (dist sig)". But that would be the very first > >> thing a > >> potential attacker would duplicate in his effort to fool our OP. Even if > >> he's > >> using MITM tricks to subvert his system, he can still post his personally > >> generated key to the keyserver with this UID. > >> > >> Peter. > >> > >> PS: I briefly considered signing this message, because the attacker might > >> MITM > >> my message to the OP. Then I realised what good that signature would do :). > >> > >> -- > >> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > >> You can send me encrypted mail if you want some privacy. > >> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > >> > >> ___ > >> Gnupg-users mailing list > >> Gnupg-users@gnupg.org > >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > ___ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Sam, > > You are a little confused - you ask ask "can some one verify the gnupg > fingerprint for > pubkey" and you use Verners key to verify gnupg. Then you worry about > impersonation - now > clearly Verner and gnupg have different keys. Or don't you know that? > > Clearly you failed to follow my link and clearly you failed to check the > public key for > gnupg. Now being a little confused try and get a clear question in your mind > - is it > Verner's key that you have such a passion to verify or gnupg? > > Verner's had about three keys two of which have expired - to the best of my > knowledge he's > a real person - he even maintains this list. You could always try encrypting > an e-mail to > his public key asking him if he's a real person. I'd suggest you not do the > same for the > public key of gnupg. > > People generate a private and a public key imaginary people don't do this - > granted some one > can set up a false ID and create a set of keys - but though they have created > a false ID to > do so they are nevertheless real people. > > If you are so concerned about Verner's key why not take a trip to Germany and > arrange to > meet him? You can't meet the gnupg (as its a bit of software) but you can > verify it's > running on your computer. > > All your keys are "untrusted." Everyone of them - apart from your own public > key. They all > remain so until you actually meet that person and verify that they are who > they say they > are. You carefully check their passport their driving l
Re: can someone verify the gnupg Fingerprint for pubkey?
On Thu, June 7, 2012 11:27 am, Werner Koch wrote: > If you look at my OpenPGP mail header you will be pointed to a > âfingerâ > address - enter it into your web browser (in case you don't know what > finger is) and you will see I see that it would be handy to have this stuff in the header where presumably the client could respond and would take up less space in the message body where it can get cluttered with all the sigs etc. regards mmick -- keyID: 0x4BFEBB31 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/7/12 2:10 PM, Sam Whited wrote: > ...yes, it's hardly onerous, but it's still one extra step that does > nothing for more advanced users (except perhaps when they haven't > had enough coffee early in the morning :) ). Friend of mine, a former law-enforcement officer, is a big believer in checklists ever since he went into a violent drug raid and discovered afterwards they'd forgotten to (a) let the ambulance service know they were about to serve a high-risk warrant, (b) put on his body armor and (c) chamber a round in his Glock. After that he wrote down a checklist on the back of his business card: "Warrant, Correct Address, Backup, Comms, Ambulance Standby, Weapon, Armor." Rest of his career he never went through the door without first breaking out that checklist and confirming that each and every category had been ticked off. The moral of the story is that if it's important something always be done, then it's important enough to add to a routine checklist. Otherwise, you're sooner or later going to wind up like my friend: shaking like a leaf and having nightmares for months about how things could have gone much, much worse. If people want to implement this feature as "--expert --disable-sign-sanity-check", okay, then ... fine, I guess, --expert is quite literally a "don't you dare second guess me just do what I say, damn it!" flag. But there's a very good reason why I don't use --expert and why I've never met anyone whom I think *should* use it. > It's the equivalent of the "remember my selection" button that should > be on any dialog that's not performing something mission-critical. Sanity-checking validation checks *is* mission-critical. IMO, at least. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Thu, Jun 7, 2012 at 1:22 PM, Robert J. Hansen wrote: > Yes. And there are doubtless a large number of people who really don't > want to have to type in their new passphrase twice, too. We make them > do it anyway. > Yes, but that actually serves a purpose, it prevents people from losing their key when they make a simple typo which is quite easy to do. I'd consider this an important step. > Objecting to it on the grounds of "I don't think it will cut down on > inappropriate signatures," fine, maybe, yes, [...] I think you're probably right, it would cut down on inappropriate signatures and... > assuming it can deliver, making people type 'y RETURN' in response to a > simple question is hardly an onerous new requirement. I'm having a hard > time understanding your objection, honestly. > ...yes, it's hardly onerous, but it's still one extra step that does nothing for more advanced users (except perhaps when they haven't had enough coffee early in the morning :) ). Don't get me wrong I think it's a good idea but I also think that (from a basic interface perspective) there should be a way to turn it off. It's the equivalent of the "remember my selection" button that should be on any dialog that's not performing something mission-critical. —Sam -- Sam Whited pub 4096R/FB39BCF7EC2C9934 SamWhited.com s...@samwhited.com 404.492.6008 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/7/12 1:05 PM, Sam Whited wrote: > It would also just be an unwanted extra step for a lot of people. Yes. And there are doubtless a large number of people who really don't want to have to type in their new passphrase twice, too. We make them do it anyway. Objecting to it on the grounds of "I don't think it will cut down on inappropriate signatures," fine, maybe, yes, it would be worthwhile to consider whether it can actually deliver on what I hope it can. But assuming it can deliver, making people type 'y RETURN' in response to a simple question is hardly an onerous new requirement. I'm having a hard time understanding your objection, honestly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Thu, Jun 7, 2012 at 12:52 PM, Robert J. Hansen wrote: > Perhaps it would be worthwhile to add a question to the signing process: > "Have you met this person face-to-face and verified his/her identity? > (y/N)" If the user answers no, display a warning that the user probably > wants to lsign, not to sign, and give the option of making an lsign instead. > > It might cut down on certifications such as these... > It would also just be an unwanted extra step for a lot of people. Might be a good idea so long as it could be turned off in the config file. —Sam -- Sam Whited pub 4096R/FB39BCF7EC2C9934 SamWhited.com s...@samwhited.com 404.492.6008 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/7/12 12:32 PM, Werner Koch wrote: > That is actually a bit funny: I never asked anyone to sign that key. > Probably they deduced the correctness from my regular key which I > used to sign the above key. That is not a surprise; I have seen > many signatures on my keys from people I never met. Perhaps it would be worthwhile to add a question to the signing process: "Have you met this person face-to-face and verified his/her identity? (y/N)" If the user answers no, display a warning that the user probably wants to lsign, not to sign, and give the option of making an lsign instead. It might cut down on certifications such as these... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Thu, 7 Jun 2012 17:59, mika.henrik.mai...@hotmail.com said: > % gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 > pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] > uid Werner Koch (dist sig) > sig 58DFC608 2011-06-11 Andrey ... > sig 30B94B5C 2012-02-29 楊士青 (Yang ... > sig 3B180E81 2011-02-13 Wolf Wi... > sig 22AAA5C3B 2011-01-22 Gary de ... > sig 2E3F1D8F7 2012-01-31 Javier Alo... > sig 146EB581F 2011-10-29 Stanislav .. > sig F80D46AB 2011-06-10 Ulf ... > sig A3B53998 2011-06-14 Daniel ... That is actually a bit funny: I never asked anyone to sign that key. Probably they deduced the correctness from my regular key which I used to sign the above key. That is not a surprise; I have seen many signatures on my keys from people I never met. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/12 17:14, Robert J. Hansen wrote: > On 6/7/12 11:18 AM, da...@gbenet.com wrote: >> To put matters simply, (1) Verner's key is not the same as gnupg's key (2) >> You can >> confirm the validity of Verner's key by meeting him (3) you can confirm that >> gnupg is >> running on your computer gpg/2 --version.. > > As an FYI, you are consistently misspelling Werner's name. It's Werner, not > Verner. > >> As to the question: can someone verify the gnupg Fingerprint for pubkey? The >> answer >> is no. Why? It is not a person but a bit of software. > > The certificate belongs to someone. If Werner were to appear before me with > his > passport and said "I control the certificates corresponding to these email > addresses" > and gave me their fingerprints, I would consider those certificates to be > fully > validated. > > > > > ___ Gnupg-users mailing list > Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users It's the German in me :) David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com/blog -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP0NbNAAoJEOJpqm7flRExAUcH/0N0ZwRLAxpd8dzAF7oIlQ3j nYibmtsoUQ/P7Nr6S6nBF9N/butYONXoEa/H69IctCgb28FenrQuq8joamImVEpD g5u70rmsX7T0vqHEE0juuz4jC9Vfmpa8waGcA5WQ8xATTIkf5RS9qElw6yQrbNdS kkoqlb4HTv8L5fiodztgJxXPQ7f1+gkn5CxUe63TT2wZlrqKSULvkIo4wtfrqxbc XY71vZbKdxmgCi41WzaErLQQTswDlHw0HeJhh0+a1itRRVxU4ghRsGP2LOBwuAgg J2CZgzz6u2Dt6ej10j2s+9jYWf53aSHS2bzCdEVly5taDE8crdHKkO1z51aMZ2Q= =RNJU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/7/12 11:18 AM, da...@gbenet.com wrote: > To put matters simply, (1) Verner's key is not the same as gnupg's > key (2) You can confirm the validity of Verner's key by meeting him > (3) you can confirm that gnupg is running on your computer gpg/2 > --version.. As an FYI, you are consistently misspelling Werner's name. It's Werner, not Verner. > As to the question: can someone verify the gnupg Fingerprint for > pubkey? The answer is no. Why? It is not a person but a bit of > software. The certificate belongs to someone. If Werner were to appear before me with his passport and said "I control the certificates corresponding to these email addresses" and gave me their fingerprints, I would consider those certificates to be fully validated. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/12 14:17, Peter Lebbing wrote: > On 07/06/12 06:23, da...@gbenet.com wrote: >> Clearly you failed to follow my link and clearly you failed to check the >> public key for gnupg. Now being a little confused try and get a clear >> question in your mind - is it Verner's key that you have such a passion to >> verify or gnupg? > > I'm sorry, but I'm tech savvy and have some knowledge of OpenPGP and stuff and > I'm quite confused about what you are trying to say in this mail. > > I'm also a bit worried that your mail can be read as quite brusque for no good > reason. Perhaps it comes across diferently than you meant. > > Peter. > Peter, To put matters simply, (1) Verner's key is not the same as gnupg's key (2) You can confirm the validity of Verner's key by meeting him (3) you can confirm that gnupg is running on your computer gpg/2 --version.. The subject of your e-mail is: can someone verify the gnupg Fingerprint for pubkey? I gave you a direct link to import gnupg's public key - but pointed out to you that the "normal" procedure for verification would not work i.e all your public keys are by default untrustworthy and that the only way to verify a public key is owned by a person is to meet that person. You have no way to verify that the public key belonging to gnupg is valid - but it does exist on your computer. It's entirely up to you whether you trust it or not. It's a question of reality. Verner's key and gnupg's key are two separate keys - you can not confuse the two. Verner's already explained this to you in some detail. To conclude - the only key you can trust ultimately is your own. When you have met some one and confirmed their ID as indicated you can set a level of trust to "fully." It does not matter how many people have signed a public key belonging to someone - they are all untrustedworthy - until that is you meet that person in reality. As to the question: can someone verify the gnupg Fingerprint for pubkey? The answer is no. Why? It is not a person but a bit of software. I am usually quite good natured :) David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com/blog -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP0MZJAAoJEOJpqm7flRExmHEIAIJhfJF5/H62o2Plrj54/jMi hUb7pyp9e+X1LLazT7R80PEsA03z8xU7N0yOqfp70HmE5y6+RrNYc0hyyCPnaYXB 1sLShpb9bA0DxUknP51QHeWDxp19noDEwCWDUC6xkrQYgj8L8lPkOTAynbm2Wd+f DGQAyxiFd7b5Pglyd+lxAwvcGHKosyfePofI5JJuj+bABmS+RNGzGUiX4ssVl+Ft 63bfDJd+Ow6ew1U0m+e265KcugRe6mlAdCTdRgGTyGBuKL+tbV0yiyc9x7FlpHsz gBjC6b8EmTWJeAk3C9YMtvsonPnkJ2/i2SggYU4WrprEJlexWlD+O1oUJBxA4n8= =Fla8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07.06.2012 02:15, Sam Smith wrote: > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm > trying to guard against. > > My efforts to verify the fingerprint are the best way to do this, > correct? > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 From: >> pe...@digitalbrains.com To: gnupg-users@gnupg.org Subject: Re: >> can someone verify the gnupg Fingerprint for pubkey? >> >> On 06/06/12 17:58, Mika Suomalainen wrote: >>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>> Looks correct. >>> >>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 >>> gpg: requesting key 4F25E3B6 from hkp server >>> pool.sks-keyservers.net gpg: key 4F25E3B6: public key "Werner >>> Koch (dist sig)" imported >> >> I agree it appears he has the correct key. I did a local sig on >> it > after what >> checking I seemed to be able to do without meeting people in >> person. >> >> But it's a bit unclear to me on what basis you decided it looked > correct? Your >> mail suggests to me that you decided that based on the fact that >> the > UID on >> that key is "Werner Koch (dist sig)". But that would be the very >> first > thing a >> potential attacker would duplicate in his effort to fool our OP. >> Even > if he's >> using MITM tricks to subvert his system, he can still post his >> personally generated key to the keyserver with this UID. >> >> Peter. >> >> PS: I briefly considered signing this message, because the >> attacker > might MITM >> my message to the OP. Then I realised what good that signature >> would > do :). >> >> -- I use the GNU Privacy Guard (GnuPG) in combination with >> Enigmail. You can send me encrypted mail if you want some >> privacy. My key is available at >> http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >> >> ___ Gnupg-users >> mailing list Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Oh, then you are checking wrong thing. You should be checking signatures in key. That key looks valid to me. ``` % gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] uid Werner Koch (dist sig) sig 58DFC608 2011-06-11 Andrey Samokhvalov sig 30B94B5C 2012-02-29 楊士青 (Yang Shih-Ching) sig 1E42B367 2011-01-12 Werner Koch sig 3B180E81 2011-02-13 Wolf Windshadow (My personal key) sig 1CE0C630 2011-01-12 Werner Koch (dist sig) sig 22AAA5C3B 2011-01-22 Gary de Montigny (HMS) sig 2E3F1D8F7 2012-01-31 Javier Alonso Fernández Almirall sig 34F25E3B6 2011-01-12 Werner Koch (dist sig) sig 146EB581F 2011-10-29 Stanislav Sidorenko (email&jabber) sig F80D46AB 2011-06-10 Ulf Linde sig A3B53998 2011-06-14 Daniel Kraft (Graz, Austria) sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31] sig 1CE0C630 2011-01-12 Werner Koch (dist sig) sig 4F25E3B6 2011-01-12 Werner Koch (dist sig) ``` - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0M/tAAoJEE21PP6CpGcolwcQAL/mfm/ZDaU99qwKhmyhBUd4 gs8PmDT2LZQvejiWkTMD+tm2D0yBFRcf/78UHC65RZL2pPd4Ppn9to+gy/9zU618 6KPw08ikzmZKO02Ilmql60kF8D7SQxX8snJ/Y5UkZAKYEuydfz+KWf4SvYeo/Um8 RN3OkfugrcNYT15n03av+1vk1HFtDWA5bDEvgPzkWTsdnCDz4F0jCfsitUECbb3p hX/PMkhitkSkezI9vGTj+7TpeSbgq7QIyjrXMMaKVT8+SnvTtOe0lK0u9YbRmAYH hjISoO+26AmKKfIdlZnGZ5K9pWil5ZjBAvL9zghPnqk6RE/P6HwIGIoJK720qDOt CLcVZo1aO83DwEMqrbpUuoJH4LxTLLV2hlAjQWR2AyVqj64AbtoOPcuPy7Pr1ugJ xbXU2zPbckpXCk9GNyf18uaY2IWACa4yZYdzBLUZKdvi/uIaBFMt6LgdR0X0ErO2 lt8URNYHzpP6SwhAUzqNW3EH0JoitANnUcjPf6fEF412ie+rQoOlc/WWEXaZ30Rx +8r4liDABEHGtsfACwjzhpQUlRpHVnxnP+ZsJc5rSISBRyuH30xit7zr493lSZtH YJVmNYshaEJYmUUaU1hu+GFn2O2ZkBXpqe+pSiHNrvVI5lrzs+QHavaAsJXgKzyQ 6RM6w6TOVtXQEkr1I7Ki =n707 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/12 06:23, da...@gbenet.com wrote: > Clearly you failed to follow my link and clearly you failed to check the > public key for gnupg. Now being a little confused try and get a clear > question in your mind - is it Verner's key that you have such a passion to > verify or gnupg? I'm sorry, but I'm tech savvy and have some knowledge of OpenPGP and stuff and I'm quite confused about what you are trying to say in this mail. I'm also a bit worried that your mail can be read as quite brusque for no good reason. Perhaps it comes across diferently than you meant. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: > But it's a bit unclear to me on what basis you decided it looked correct? Your > mail suggests to me that you decided that based on the fact that the UID on > that key is "Werner Koch (dist sig)". But that would be the very first thing a If you look at my OpenPGP mail header you will be pointed to a “finger” address - enter it into your web browser (in case you don't know what finger is) and you will see pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31] uid Werner Koch uid Werner Koch sub 2048R/FA8FE1F9 2008-03-21 [expires: 2011-12-30] sub 1024D/77F95F95 2011-11-02 sub 2048R/C193565B 2011-11-07 [expires: 2013-12-31] pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] uid Werner Koch (dist sig) sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31] pub 1024R/1CE0C630 2006-01-01 [expired: 2011-06-30] uid Werner Koch (dist sig) pub 1024D/57548DCD 1998-07-07 [expired: 2005-12-31] uid Werner Koch (gnupg sig) 1E42B367 is my standard key [encrypt and sign; use this one]. 4F25E3B6 is used to sign software distributions [sign only]. 5B0358A2 was used as my key until it expired on 2011-07-11; it has been superseded by 1E42B367 1CE0C630 was used to sign software distributions [sign only]; it has been superseded by 4F25E3B6. 57548DCD was used to sign software distributions [sign only]; it has been superseded by 1CE0C630. Please note that I use a subkey for signing messages; some old OpenPGP implementations may not be able to check such a signature. The primary key is stored at a more or less secure place and only used on a spare laptop which is not connected to any network. If you find a key certified by this one, you can be sure that I personally met this person and checked the name part of the user ID against an official looking passport or another suitable photo id. My signature does not say anything about the email address (I merely check that the address looks plausible). followed by a public key block. If you check the signatures of the current dist signing key (gpg --check-sigs 4F25E3B6): pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] uid Werner Koch (dist sig) sig!34F25E3B6 2011-01-12 Werner Koch (dist sig) sig! 1CE0C630 2011-01-12 Werner Koch (dist sig) sig! 1E42B367 2011-01-12 Werner Koch [...] you will notice that the key has in addition to the required self-signature (note the “sig!3” line with the same key ID as the “pub" line) a signature from the former dist signing key (1CE0C630), and one From my regular key 1E42B367. Now check the my regular key and you will notice that it is very well connected in the the Web of Trust. Shalom-Salam, Werner p.s. If you wonder about the subkey of the dist sig key: It is used for ssh and, due to the “A” usage, ignored by gpg: $ gpg2 --edit-key --batch 4F25E3B6 quit Secret key is available. pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC trust: ultimate validity: ultimate sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A [ultimate] (1). Werner Koch (dist sig) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpSXMeLdfP9c.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/12 00:15, Sam Smith wrote: > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to > guard against. > > My efforts to verify the fingerprint are the best way to do this, correct? > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 >> From: pe...@digitalbrains.com >> To: gnupg-users@gnupg.org >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey? >> >> On 06/06/12 17:58, Mika Suomalainen wrote: >> >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> > Looks correct. >> > >> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: >> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key >> > 4F25E3B6: public key "Werner Koch (dist sig)" imported >> >> I agree it appears he has the correct key. I did a local sig on it after what >> checking I seemed to be able to do without meeting people in person. >> >> But it's a bit unclear to me on what basis you decided it looked correct? >> Your >> mail suggests to me that you decided that based on the fact that the UID on >> that key is "Werner Koch (dist sig)". But that would be the very first thing >> a >> potential attacker would duplicate in his effort to fool our OP. Even if he's >> using MITM tricks to subvert his system, he can still post his personally >> generated key to the keyserver with this UID. >> >> Peter. >> >> PS: I briefly considered signing this message, because the attacker might >> MITM >> my message to the OP. Then I realised what good that signature would do :). >> >> -- >> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >> You can send me encrypted mail if you want some privacy. >> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Sam, You are a little confused - you ask ask "can some one verify the gnupg fingerprint for pubkey" and you use Verners key to verify gnupg. Then you worry about impersonation - now clearly Verner and gnupg have different keys. Or don't you know that? Clearly you failed to follow my link and clearly you failed to check the public key for gnupg. Now being a little confused try and get a clear question in your mind - is it Verner's key that you have such a passion to verify or gnupg? Verner's had about three keys two of which have expired - to the best of my knowledge he's a real person - he even maintains this list. You could always try encrypting an e-mail to his public key asking him if he's a real person. I'd suggest you not do the same for the public key of gnupg. People generate a private and a public key imaginary people don't do this - granted some one can set up a false ID and create a set of keys - but though they have created a false ID to do so they are nevertheless real people. If you are so concerned about Verner's key why not take a trip to Germany and arrange to meet him? You can't meet the gnupg (as its a bit of software) but you can verify it's running on your computer. All your keys are "untrusted." Everyone of them - apart from your own public key. They all remain so until you actually meet that person and verify that they are who they say they are. You carefully check their passport their driving licence. But gnupg has not got a passport or a driving license. The only way you can check if gnupg is real is to check if it's running on your computer gpg --version - this will tell you if you have the software installed. If it's installed and working correctly it must be real. What if that fails? Well you do the same thing gpg2 --version and hope that Verner does not pop up and say "Hello." David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP0CzCAAoJEOJpqm7flRExrRoH+gIVpmZ+pLRh3iT13AzX7oUn qcJ8F9WT8RvfpTEK4gWPmu6MXmSVLbIvzJPcQswVFCGSgHeisIxkKSdZzXzsV1Ay Yge0MPrZIxR/xA8ZJFC2+Oirx7ERPf615neoIAFwGu6Ern4XHWS7D2iCpfdknFfe B2zmQGHhHmonZG99MOUyAAO9ndDxeXtBMxcTFFPn3ilSqErQ3Xhc9uDOaSWG5uc+ prgXt8E9Ku4sptk7vDnArxri5i5xs6QAxP7JzGYZda/9vqyDfj5ZniIht+8VAu3x eugnoPGyyBiJJ/blmeRoizbqG2xwwxkpb9lE8/cCPKw/4pdUo+638IGd2LXYkp8= =5tt8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/06/2012 07:15 PM, Sam Smith wrote: > My efforts to verify the fingerprint are the best way to do this, correct? "Best" is a relative term. The gold standard for validation involves meeting someone who claims to be Werner Koch, asking him for his passport, checking that his passport identifies him as Werner Koch and that all the anti-forgery measures are in place on the document, and having him tell you directly what his certificate fingerprint is. Of course, this just establishes you have the certificate of *a* Werner Koch, and maybe not the one you want. Certificate validation is a surprisingly hard thing to do. Sorry. :( ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against. My efforts to verify the fingerprint are the best way to do this, correct? > Date: Wed, 6 Jun 2012 21:54:01 +0200 > From: pe...@digitalbrains.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > On 06/06/12 17:58, Mika Suomalainen wrote: > >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > Looks correct. > > > > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > > 4F25E3B6: public key "Werner Koch (dist sig)" imported > > I agree it appears he has the correct key. I did a local sig on it after what > checking I seemed to be able to do without meeting people in person. > > But it's a bit unclear to me on what basis you decided it looked correct? Your > mail suggests to me that you decided that based on the fact that the UID on > that key is "Werner Koch (dist sig)". But that would be the very first thing a > potential attacker would duplicate in his effort to fool our OP. Even if he's > using MITM tricks to subvert his system, he can still post his personally > generated key to the keyserver with this UID. > > Peter. > > PS: I briefly considered signing this message, because the attacker might MITM > my message to the OP. Then I realised what good that signature would do :). > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/06/12 17:58, Mika Suomalainen wrote: >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > Looks correct. > > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > 4F25E3B6: public key "Werner Koch (dist sig)" imported I agree it appears he has the correct key. I did a local sig on it after what checking I seemed to be able to do without meeting people in person. But it's a bit unclear to me on what basis you decided it looked correct? Your mail suggests to me that you decided that based on the fact that the UID on that key is "Werner Koch (dist sig)". But that would be the very first thing a potential attacker would duplicate in his effort to fool our OP. Even if he's using MITM tricks to subvert his system, he can still post his personally generated key to the keyserver with this UID. Peter. PS: I briefly considered signing this message, because the attacker might MITM my message to the OP. Then I realised what good that signature would do :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06.06.2012 15:54, Sam Smith wrote: > Can someone please verify that I have the legit public key to > verify GnuPG with? I checked the website but the Fingerprint is not > given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Looks correct. ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported gpg: waiting for lock (held by 9266) ... gpg: waiting for lock (held by 9266) ... gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 4 signed: 11 trust: 3-, 0q, 0n, 1m, 0f, 0u gpg: next trustdb check due at 2012-07-29 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPz34YAAoJEE21PP6CpGcocvwQAMZAe32LbQoKUC/3EQNrlvMS qUe6RPCfvViMU/idRilrQ/tvbqxu+iF1HiOz3IIphylRH+V46qVnosxn0qFQ5Vdo HvmBM66ILw4EGWBmCFQJHuq7ad3gmCP7fee/Umg1TPE0JSk9Q3tfPIniKdqGlL6t PNjMeQDnCrAyNgfAt39TGU/g5bz6hKdGFMnFCxc5uWOAtOVK+mrjgGV+XH1dtUFC oRa3EYsyEbBrYAXxLwBPRTv2xbGzwHf3y7gzBC8qA3u8YBTrTWWLaN+TQx1H9HM2 CsFtbK0PLkgwMJdPBxr9pNswi8nqKHBUy+g3AyWCTIBH4Sffx2NFMh3pu9x4JJYt wVsT0KBHyjnSQfYuAPjAOyX3/LCRvMJ4JCIOLihIG01F/QR19IrJ79FaSkMnCR9G oXTiA+EJZXtmb1+ivjZz1GCCUzEMZNcRi0xmFQbo3S5RJNT2huB3JJ28mzNbxfxt 4HR5R3CBYFo+EY82Y52vO+sKIWPsK/sbM/umRe5f9xrGDW58W1AweQy3UjDhAuE2 GS7/dYFQo1pD0SmwFBCIycMvAkT64HyjSNDCqTHPr8u0Srjr6pzeRYWnUPrlHLDz Ud3tsNrnP1lRo0Xr/Zz6bXgYaefb1MGGPxSrTesOajbVaf+5I0IRVYoiJiOgN38L tP+CwKfm64DX5WJdcsnt =1WBF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/06/12 13:54, Sam Smith wrote: > Can someone please verify that I have the legit public key to verify GnuPG > with? I checked > the website but the Fingerprint is not given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Hello, You want to go to this link > http://gnupg.org/signature_key.en.html and select the public key block - then copy then open whatever gnupg frontend you have and import from clipboard David - -- “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPz3WOAAoJEOJpqm7flREx+oIIAKnveVZkvxaMEqAPNk/cIxrM 7/v56CJ+vDZPz0rL9yBv5F8WxLDmle8oB/RvLsnHR5qGwqgkltDDv5uxn3rq9EHy fTry8ObW45HzkAsS4+DlAXq61eDIwtxCo2dhzVzwWExQf4UKlh2r27Kqi6tV8apG PEwVLo4JC3hVAp6OX1PNo+ydbRERSI/aeCGalhNN8/dBZuHEcguTGGe6WGJcPLU4 pMrSIXwge3czFj8OYj/XQ/OChvZva0UIEpuLZKUQTmdM7aD1GAKgAoFnKWlzGzIW VjO116fyuldvTNkl9mXNqX7lwlZbLPKMWT2YZst/FQCDeq01tTN2G49IzeXEoI4= =Ream -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Wednesday 06 of June 2012 09:39:12 Sam Smith wrote: > Yeah, thanks. It's the key that signed the .sig and the one I needed to > download to verify. I downloaded it from a Key Server--don't know how else > to get the public key. > > I checked the gpg package legitimacy on a computer that already had gpg > installed. But wanted to make sure I had a legit pub key for the new > machine i was building. Thanks! > > Is there another way to verify the legitimacy of a downloaded public key? > (assuming you don't know any of the other sigs on the pub key that is, > obviously). Or is asking on a user list like this the recommended way? >From security perspective, the public key and (long) fingerprint are synonymous. In other words, as long as the fingerprint matches the certificate, it doesn't matter where you get the certificate from. But this only holds true if you trust the validity of fingerprint. Regards, Hubert Kario > > Date: Wed, 6 Jun 2012 09:31:15 -0400 > > From: shavi...@gmail.com > > To: gnupg-users@gnupg.org > > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > > > Sam Smith June 6, 2012 > > 9:25:37 AM wrote: > > > > Sam Smith wrote on 6/6/12 8:54 AM: > > > Can someone please verify that I have the legit public key to verify > > > GnuPG with? I checked the website but the Fingerprint is not given > > > anywhere. > > > > > > I got this Fingerprint for the Public Key I downloaded > > > > > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > That's the fingerprint for Werner Koch (dist sig): > > > > pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC > > > > trust: [] validity: [] > > > > sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A > > [] (1). Werner Koch (dist sig) > > pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) > > Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > > > > > Hope this is what you were looking for. > > Charly > > Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 > > Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: can someone verify the gnupg Fingerprint for pubkey?
Yeah, thanks. It's the key that signed the .sig and the one I needed to download to verify. I downloaded it from a Key Server--don't know how else to get the public key. I checked the gpg package legitimacy on a computer that already had gpg installed. But wanted to make sure I had a legit pub key for the new machine i was building. Thanks! Is there another way to verify the legitimacy of a downloaded public key? (assuming you don't know any of the other sigs on the pub key that is, obviously). Or is asking on a user list like this the recommended way? > Date: Wed, 6 Jun 2012 09:31:15 -0400 > From: shavi...@gmail.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > Sam Smith June 6, 2012 > 9:25:37 AM wrote: > Sam Smith wrote on 6/6/12 8:54 AM: > > Can someone please verify that I have the legit public key to verify > > GnuPG with? I checked the website but the Fingerprint is not given anywhere. > > > > I got this Fingerprint for the Public Key I downloaded > > > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > That's the fingerprint for Werner Koch (dist sig): > > pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC > trust: [] validity: [] > sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A > [] (1). Werner Koch (dist sig) > pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) > Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > > > Hope this is what you were looking for. > Charly > Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 > Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Sam Smith June 6, 2012 9:25:37 AM wrote: Sam Smith wrote on 6/6/12 8:54 AM: > Can someone please verify that I have the legit public key to verify > GnuPG with? I checked the website but the Fingerprint is not given anywhere. > > I got this Fingerprint for the Public Key I downloaded > > D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 That's the fingerprint for Werner Koch (dist sig): pub 2048R/4F25E3B6 created: 2011-01-12 expires: 2019-12-31 usage: SC trust: [] validity: [] sub 2048R/AC87C71A created: 2011-01-12 expires: 2019-12-31 usage: A [] (1). Werner Koch (dist sig) pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig) Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Hope this is what you were looking for. Charly Mac OS X 10.7.4 (11E52) MacBook Intel C2Duo MacGPG2-2.0.17-9 Thunderbird 13.0 Enigmail 1.4.2 (20120519-0100) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users