GnuPG distribution signature

Nicholas Cole nicholas.cole at gmail.com
Thu Feb 2 18:07:57 CET 2012


On Tue, Jan 31, 2012 at 8:15 AM, Werner Koch <wk at gnupg.org> wrote:
> On Tue, 31 Jan 2012 00:06, faramir.cl at gmail.com said:
>> Hello,
>>       Is key D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6 (
>> 0x4F25E3B6 ) the current key used for signing files? I suppose it is,
>
> Yes, it is.  See my OpenPGP mail header for a list of all my keys and
> their descriptions.
>
> There is a small error in the announcement:
>
>     gpg --recv-key 4F25E3B6
>
>   The distribution key 1CE0C630 is signed by the well known keys
>
> It should say
>
>     gpg --recv-key 4F25E3B6
>
>   The distribution key 4F25E3B6 is signed by the well known keys

I've long thought that one nightmare scenario for OpenPGP would be an
ISP or other network gateway that transparently scanned all data
passing through it looking for specific key ids and fingerprints and
which silently changed them in webpages, email etc to fraudulent
values.  I can't imagine that it would be that difficult, and it would
be difficult to detect as well as tripping up anyone who relied on
"well-known" keys.

N



More information about the Gnupg-users mailing list