can someone verify the gnupg Fingerprint for pubkey?

Sam Smith smickson at hotmail.com
Fri Jun 8 23:37:00 CEST 2012


David, 

I downloaded the GnuPG program. I then ran --verify and was told that the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a key server and then asked people on this mailing list to confirm that I downloaded a legit key. Several people on this mailing list confirmed the fingerprint of this key as a legit key. I then marked the key as trusted because I verified the fingerprint. I then gpg --verify the gnupg program and got a Good Signature. 

Of course it would be good to meet Werner and look at his passport and all this nonsense. But that is ridiculous because it's never going to happen. I read the GnuPG manual and what I did is what the manual describes as good practice. What you describe is just nonsense. Yes, it is truly secure and everything but you know completely impractical, so why did you even write it?

My question was an honest one and made in good faith about trying to learn and be humble that I don't know everything. But I struggle to find what can be learned from your email. I did follow your link to the posted public key. However I had already downloaded from a keyserver the key that was identified as being the one that signed the gnupg program (0x4F25E3B6). And others verified the fingerprint. So do I still need to download the key that you posted a link to, aren't they the same key???? Strangely, before I downloaded key 0x4F25E3B6, I searched the website looking for a public key to download but did not find the link that you provided.



> Date: Thu, 7 Jun 2012 05:23:43 +0100
> From: david at gbenet.com
> To: gnupg-users at gnupg.org
> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/06/12 00:15, Sam Smith wrote:
> > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against.
> > 
> > My efforts to verify the fingerprint are the best way to do this, correct?
> > 
> > 
> > 
> > 
> >> Date: Wed, 6 Jun 2012 21:54:01 +0200
> >> From: peter at digitalbrains.com
> >> To: gnupg-users at gnupg.org
> >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> >>
> >> On 06/06/12 17:58, Mika Suomalainen wrote:
> >> >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
> >> > Looks correct.
> >> >
> >> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
> >> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key
> >> > 4F25E3B6: public key "Werner Koch (dist sig)" imported
> >>
> >> I agree it appears he has the correct key. I did a local sig on it after what
> >> checking I seemed to be able to do without meeting people in person.
> >>
> >> But it's a bit unclear to me on what basis you decided it looked correct? Your
> >> mail suggests to me that you decided that based on the fact that the UID on
> >> that key is "Werner Koch (dist sig)". But that would be the very first thing a
> >> potential attacker would duplicate in his effort to fool our OP. Even if he's
> >> using MITM tricks to subvert his system, he can still post his personally
> >> generated key to the keyserver with this UID.
> >>
> >> Peter.
> >>
> >> PS: I briefly considered signing this message, because the attacker might MITM
> >> my message to the OP. Then I realised what good that signature would do :).
> >>
> >> --
> >> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> >> You can send me encrypted mail if you want some privacy.
> >> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
> >>
> >> _______________________________________________
> >> Gnupg-users mailing list
> >> Gnupg-users at gnupg.org
> >> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> > 
> > 
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> Sam,
> 
> You are a little confused - you ask ask "can some one verify the gnupg fingerprint for
> pubkey" and you use Verners key to verify gnupg. Then you worry about impersonation - now
> clearly Verner and gnupg have different keys. Or don't you know that?
> 
> Clearly you failed to follow my link and clearly you failed to check the public key for
> gnupg. Now being a little confused try and get a clear question in your mind - is it
> Verner's key that you have such a passion to verify or gnupg?
> 
> Verner's had about three keys two of which have expired - to the best of  my knowledge he's
> a real person - he even maintains this list. You could always try encrypting  an e-mail to
> his public key asking him if he's a real person. I'd suggest you not do the same for the
> public key of gnupg.
> 
> People generate a private and a public key imaginary people don't do this - granted some one
> can set up a false ID and create a set of keys - but though they have created a false ID to
> do so they are nevertheless real people.
> 
> If you are so concerned about Verner's key why not take a trip to Germany and arrange to
> meet him? You can't meet the gnupg (as its a bit of software) but you can verify it's
> running on your computer.
> 
> All your keys are "untrusted." Everyone of them - apart from your own public key. They all
> remain so until you actually meet that person and verify that they are who they say they
> are. You carefully check their passport their driving licence.
> 
> But gnupg has not got a passport or a driving license. The only way you can check if gnupg
> is real is to check if it's running on your computer gpg --version - this will tell you if
> you have the software installed. If it's installed and working correctly it must be real.
> 
> What if that fails? Well you do the same thing gpg2 --version and hope that Verner does not
> pop up and say "Hello."
> 
> David
> 
> 
> - -- 
> “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
> kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
> delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJP0CzCAAoJEOJpqm7flRExrRoH+gIVpmZ+pLRh3iT13AzX7oUn
> qcJ8F9WT8RvfpTEK4gWPmu6MXmSVLbIvzJPcQswVFCGSgHeisIxkKSdZzXzsV1Ay
> Yge0MPrZIxR/xA8ZJFC2+Oirx7ERPf615neoIAFwGu6Ern4XHWS7D2iCpfdknFfe
> B2zmQGHhHmonZG99MOUyAAO9ndDxeXtBMxcTFFPn3ilSqErQ3Xhc9uDOaSWG5uc+
> prgXt8E9Ku4sptk7vDnArxri5i5xs6QAxP7JzGYZda/9vqyDfj5ZniIht+8VAu3x
> eugnoPGyyBiJJ/blmeRoizbqG2xwwxkpb9lE8/cCPKw/4pdUo+638IGd2LXYkp8=
> =5tt8
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120608/4e42cb46/attachment.htm>


More information about the Gnupg-users mailing list