Problems importing public key

Graeme Nichols gnichols at tpg.com.au
Fri Apr 16 08:59:23 CEST 2004 

On Thu, 2004-04-15 at 06:16, Neil Williams wrote:
> On Wednesday 14 Apr 2004 7:15, Graeme Nichols wrote:
> > Hello Folks,
> >
> > I was sent a public key by a fellow so that I could encrypt a file to
> > him. The name of the file, for what it is worth is: 0xF94BBB03.asc which
> 
> You might be able to trust this file, but why should GnuPG? You've just 
> imported a public key that has no relation to your own key, there is nothing 
> for GnuPG to use to work out whether to trust the key. You comment that this 
> is for sensitive data yet you seem prepared to take the key at face value. 
> 
> > happens to be the DSA key ID of his key used to sign his emails. It
> 
> So all you really know about this key is that the email address matches the 
> keyID. Is that enough? Can't be particularly sensitive data for encryption!
> 
> > imports OK into my gnupg V1.2.3 but when I click on the lock icon in
> > Evolution (so I can test the public key) I get the following error:
> >
> > gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
> > gpg: Signature made Sat 03 Apr 2004 09:54:31 EST using DSA key ID
> > F94BBB03
> > gpg: BAD signature from "Benoit Grégoire (Serveur télématique des
> 
> Oops. You've got the right key but something is wrong with the email.
> 
> > étudiants de Polytechnique) <bock at step.polymtl.ca>"
> > gpg: textmode signature, digest algorithm SHA1
> >
> > What have I done wrong?
> 
> Nothing, necessarily. There may be something wrong with the signed email 
> though.
> 
> > I have another public key that I imported from a keyserver that works OK
> 
> If you import a new copy of the same key, it'll simply overwrite the old one. 
> The only differences that will make any odds here are things like extra 
> subkeys, extra signatures, extra UID's. If GnuPG accepts these two keys as 
> the same, the public key in both copies is the same.
> 
> > if I click the lock icon on Evolution yet if I fire up seahorse and
> > click on the Key Manager icon to list the keys I have under the 'trust'
> > column both the public keys I have imported show 'ERROR'. Mine naturally
> > shows 'ultimate'
> 
> This is the separate trust issue. GnuPG cannot trust this key because you 
> haven't verified the key. You would need to follow the keysigning procedure 
> and then sign the key for GnuPG to be able to trust this key.
> 
> > I really need to find out if I have done something wrong so I can
> 
> No, just that there is something that you haven't yet done.
> 
> > rectify the problem as Benoit is waiting for the file he needs me to
> > send him and I am not going to send it if something is wrong as the file
> > has some very private data in it and I don't want it to fall into the
> > wrong hands.
> 
> Then you MUST verify the key properly. Usually, this involves meeting 
> face-to-face to exchange GnuPG fingerprints and verify proof of photo ID AS 
> WELL as verifying that the email address in the key is the right destination.
> 
> GnuPG cannot be expected to encrypt sensitive data if there no way of knowing 
> if you are encrypting to the right person.

Thanks for the info Neil. I can encrypt the sensitive data file OK using
the public key provided, but, as you say, I have no idea whether I can
trust this key. I have never met the gentleman in question (who is as
honest as the day is long, I'm sure) but I have no way of knowing if
someone is impersonating him thus my concern when ALL his signed emails
fail to authenticate properly with the key he provided.

As I am no expert on this topic can you tell me how I could attempt to
download his public key from a keyserver? The only public key I have
downloaded so far had foolproof instructions in the form of a url in the
comment field and then foolproof instructions when one connected to that
url. It was the key for Dennis Patrick Lamb Jr., very cleverly done.

-- 

Kind regards,

Graeme Nichols

----------------------------------------------------------------------
Politics, as a practice, whatever its professions, has always been the
systematic organisation of hatreds.
		-- Henry Adams, "The Education of Henry Adams"

----------------------------------------------------------------------
- IMPORTANT.                                                         -
- The contents of this email and any attachments, which may be con-  -  
- fidential, are sent for the personal attention of the addressee/s  -
- only. If you receive this email and are not the intended addressee -
- please inform the sender and delete this email immediately. Use,   -
- copying, disclosure or forwarding of the contents of this email    -
- and/or any attachment/s is not authourised.                        -
----------------------------------------------------------------------

More information about the Gnupg-users mailing list