can someone verify the gnupg Fingerprint for pubkey?

Sam Smith smickson at hotmail.com
Sun Jun 10 16:14:28 CEST 2012


I have to agree with Peter. I mean, everyone has to trust someone/something at some point. I mean you trust Windows OS or your Linux Distro that it is not doing bad things. It is calling up all these APIs etc. Have your verified everything your OS does? Have your verified every signing key used by your Distro or Windows certificate?

At some point you have to trust the integrity of something. And this trust is never going to be perfect. There should be caution and if you want assurance you should check sources. This was what I was trying to do by asking this list. I asked this list after I had already looked other places to verify the fingerprint.

If absolute trust was sought for everything, nobody would ever be able to do anything because so few things would be trusted enough to move forward on anything.

> Date: Sat, 9 Jun 2012 17:05:05 +0200
> From: peter at digitalbrains.com
> To: rjh at sixdemonbag.org
> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> CC: gnupg-users at gnupg.org
> 
> On 09/06/12 15:44, Robert J. Hansen wrote:
> > I'm not weighing in on what the mechanism should be: I don't get to declare 
> > what anyone else's policy should be.
> 
> I was under the impression you did. I interpreted your mail and particularly the
> statement
> 
> > but this either is or isn't a proper verification, and there's no 
> > in-between.
> 
> as meaning that there is only one correct way to do a proper verification. From
> your reply, I understand now you did not mean it like that. I was already quite
> puzzled about my interpretation because it didn't sound like you :).
> 
> >> It doesn't really matter how many Werner Kochs there are.
> > 
> > Sure it does.  As an absurdist thought experiment, let's think of a nation --
> > call it Kochistan.  In Kochistan, everyone is required to have the name 
> > Werner Koch.  Most people in Kochistan are honest.  If you ask them if 
> > they're *the* Werner Koch, they'll tell you no, they're not.
> 
> Funnily, we're saying the same thing. You yourself said you don't particularly
> care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or
> ... Then why are you interested in the number of Werner Kochs?
> 
> The thing I'm interested in: is the source of GnuPG I downloaded actually the
> program we know and love. I'm at this point not interested in the fact that
> Werner Koch is a main developer of it, or what his proper name is. For all I
> know his birthname indeed is Horace. He might as well have given the UID "GnuPG
> dist sig" to the key, instead of "Werner Koch (dist sig)". The only reason we
> are talking about "the" Werner Koch is that his name is in the UID, which might
> as easily not have been. As I said, the number of Werner Kochs is insubstantial.
> 
> > I don't trust crowdsourcing to verify GnuPG.  If someone or some group 
> > subverts that system my exposure might be much greater and I might not learn
> >  about it for quite some time.
> 
> So how did you verify your GnuPG source? If you say "I asked a close friend", my
> counterquestion is: How did he/she? What I want to know is: what bootstrapped
> the confidence that the key was the proper GnuPG dist sig?
> 
> Personally, I did it by checking from a number of locations that the key making
> the signature is the same from wherever I try. Also, I spread the checks over a
> substantial period of time. If the website got hacked, I hoped it would come out
> in that period of time. It did not at any point include the quantity of Werner
> Kochs.
> 
> Now, if I wanted more satisfaction, I would indeed turn to this mailing list,
> ask members whether they see the same fingerprint, and check the replies from
> several locations to see that from wherever I check, the replies are identical.
> 
> Again add a little time to allow for members to write to the mailing list "Hey I
> did not write that reply!" in case of impersonation. Hopefully at least one
> person would notice and expose the deception.
> 
> And I do not see this process as, to quote you, "certifiably crazy" at all. It
> would perhaps be if I only checked it from the same computer as where I
> downloaded the source and signature and keyblock, but nowhere is it stated this
> is the case.
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120610/0e57b591/attachment.htm>


More information about the Gnupg-users mailing list