On 08/10/2012 01:34 PM, Gabor Kiss wrote: > [kristian fiskerstrand wrote:] >> As an FYI; I've now added HTTPS/TLS support to >> https://sks-keyservers.net . It is part of the monkeysphere[0], i.e. >> using a self-signed certificate that can be verified through the Web of >> Trust of OpenPGP. >> >> The KeyID of the certificate should is 0xd71fd9994af34f0b and can be >> found in the pool[1]. The fingerprint of the key is >> 878F FB44 5E6E 13A6 4716 3BDC D71F D999 4AF3 4F0B
this fingerprint is the OpenPGP fingerprint of the public key associated with https://sks-keyservers.net. As with any OpenPGPv4 fingerprint, it is a digest made over some boilerplate, the key creation time, and the public key material. > My browsers say that SHA-1 fingerprint of > certificate of sks-keyservers.net is > F7 2A 69 75 64 44 08 D3 38 D3 5D AE DE AD 7C 44 53 0D FA 40 > MD5 is > 26 BB A1 88 FF E7 C9 A0 AC 97 4F F8 04 F4 FF 03 > SHA-256 is > 06 64 76 1C 8C D3 9C D6 AE 83 FE 82 13 DF 89 37 > D4 40 3B 39 0F 58 57 41 D6 F6 89 B1 B9 E5 7C 8B these digests are the digests of the X.509 certificate, which covers the site's public key material plus some other DER-encoded metadata. So you can't directly compare these fingerprints. :( However, you *can* compare the public key material between the certificates (though that's tedious to do by hand) -- you'll see that the OpenPGP certificate signed by Kristian contains the same public key material as the X.509 certificate offered directly by the web site. > None of them looks like you mentioned. > Probably I misunderstood something. :-) > What should I check if I want to verify this connection. if you have a copy of the X.509 certificate locally in sks-keyservers.pem, and gpg believes kristian's keys are valid, and you are running the monkeysphere validation agent, you could do: msva-query-agent https sks-keyservers.net x509pem < sks-keyservers.pem > (AFAIK Opera has no monkeysphere plugin.) if you'd like to implement one, we'd be happy to point you in the right direction :) http://web.monkeysphere.info/community/ --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel