yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against.
My efforts to verify the fingerprint are the best way to do this, correct? > Date: Wed, 6 Jun 2012 21:54:01 +0200 > From: pe...@digitalbrains.com > To: gnupg-users@gnupg.org > Subject: Re: can someone verify the gnupg Fingerprint for pubkey? > > On 06/06/12 17:58, Mika Suomalainen wrote: > >> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > > Looks correct. > > > > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: > > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key > > 4F25E3B6: public key "Werner Koch (dist sig)" imported > > I agree it appears he has the correct key. I did a local sig on it after what > checking I seemed to be able to do without meeting people in person. > > But it's a bit unclear to me on what basis you decided it looked correct? Your > mail suggests to me that you decided that based on the fact that the UID on > that key is "Werner Koch (dist sig)". But that would be the very first thing a > potential attacker would duplicate in his effort to fool our OP. Even if he's > using MITM tricks to subvert his system, he can still post his personally > generated key to the keyserver with this UID. > > Peter. > > PS: I briefly considered signing this message, because the attacker might MITM > my message to the OP. Then I realised what good that signature would do :). > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
