-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07.06.2012 02:15, Sam Smith wrote: > yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm > trying to guard against. > > My efforts to verify the fingerprint are the best way to do this, > correct? > > > > >> Date: Wed, 6 Jun 2012 21:54:01 +0200 From: >> pe...@digitalbrains.com To: gnupg-users@gnupg.org Subject: Re: >> can someone verify the gnupg Fingerprint for pubkey? >> >> On 06/06/12 17:58, Mika Suomalainen wrote: >>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>> Looks correct. >>> >>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 >>> gpg: requesting key 4F25E3B6 from hkp server >>> pool.sks-keyservers.net gpg: key 4F25E3B6: public key "Werner >>> Koch (dist sig)" imported >> >> I agree it appears he has the correct key. I did a local sig on >> it > after what >> checking I seemed to be able to do without meeting people in >> person. >> >> But it's a bit unclear to me on what basis you decided it looked > correct? Your >> mail suggests to me that you decided that based on the fact that >> the > UID on >> that key is "Werner Koch (dist sig)". But that would be the very >> first > thing a >> potential attacker would duplicate in his effort to fool our OP. >> Even > if he's >> using MITM tricks to subvert his system, he can still post his >> personally generated key to the keyserver with this UID. >> >> Peter. >> >> PS: I briefly considered signing this message, because the >> attacker > might MITM >> my message to the OP. Then I realised what good that signature >> would > do :). >> >> -- I use the GNU Privacy Guard (GnuPG) in combination with >> Enigmail. You can send me encrypted mail if you want some >> privacy. My key is available at >> http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt >> >> _______________________________________________ Gnupg-users >> mailing list Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
Oh, then you are checking wrong thing. You should be checking signatures in key. That key looks valid to me. ``` % gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] uid Werner Koch (dist sig) sig 58DFC608 2011-06-11 Andrey Samokhvalov <andrey...@ukr.net> sig 30B94B5C 2012-02-29 楊士青 (Yang Shih-Ching) <imacat@mail.imacat.i dv.tw> sig 1E42B367 2011-01-12 Werner Koch <w...@gnupg.org> sig 3B180E81 2011-02-13 Wolf Windshadow (My personal key) <wolfwindsha d...@gmail.com> sig 1CE0C630 2011-01-12 Werner Koch (dist sig) <dd...@gnu.org> sig 2 2AAA5C3B 2011-01-22 Gary de Montigny (HMS) <g...@demontigny.net> sig 2 E3F1D8F7 2012-01-31 Javier Alonso Fernández Almirall <javier.ferna nde...@gmail.com> sig 3 4F25E3B6 2011-01-12 Werner Koch (dist sig) sig 1 46EB581F 2011-10-29 Stanislav Sidorenko (email&jabber) <mail@stani slavsidorenko.com> sig F80D46AB 2011-06-10 Ulf Linde <ulf.li...@armax.se> sig A3B53998 2011-06-14 Daniel Kraft (Graz, Austria) <d...@domob.eu> sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31] sig 1CE0C630 2011-01-12 Werner Koch (dist sig) <dd...@gnu.org> sig 4F25E3B6 2011-01-12 Werner Koch (dist sig) ``` - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) ____________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0M/tAAoJEE21PP6CpGcolwcQAL/mfm/ZDaU99qwKhmyhBUd4 gs8PmDT2LZQvejiWkTMD+tm2D0yBFRcf/78UHC65RZL2pPd4Ppn9to+gy/9zU618 6KPw08ikzmZKO02Ilmql60kF8D7SQxX8snJ/Y5UkZAKYEuydfz+KWf4SvYeo/Um8 RN3OkfugrcNYT15n03av+1vk1HFtDWA5bDEvgPzkWTsdnCDz4F0jCfsitUECbb3p hX/PMkhitkSkezI9vGTj+7TpeSbgq7QIyjrXMMaKVT8+SnvTtOe0lK0u9YbRmAYH hjISoO+26AmKKfIdlZnGZ5K9pWil5ZjBAvL9zghPnqk6RE/P6HwIGIoJK720qDOt CLcVZo1aO83DwEMqrbpUuoJH4LxTLLV2hlAjQWR2AyVqj64AbtoOPcuPy7Pr1ugJ xbXU2zPbckpXCk9GNyf18uaY2IWACa4yZYdzBLUZKdvi/uIaBFMt6LgdR0X0ErO2 lt8URNYHzpP6SwhAUzqNW3EH0JoitANnUcjPf6fEF412ie+rQoOlc/WWEXaZ30Rx +8r4liDABEHGtsfACwjzhpQUlRpHVnxnP+ZsJc5rSISBRyuH30xit7zr493lSZtH YJVmNYshaEJYmUUaU1hu+GFn2O2ZkBXpqe+pSiHNrvVI5lrzs+QHavaAsJXgKzyQ 6RM6w6TOVtXQEkr1I7Ki =n707 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
