On 6/9/2012 4:14 PM, Peter Lebbing wrote:
> Where the question is going is rather simple: what would you
> recommend Joe Average User to do to verify the authenticity of the
> GnuPG source he downloaded, not questioning his desire to build from
> that source.
Ah, I see. I apologize for not und
On 09/06/12 20:47, Robert J. Hansen wrote:
> On 06/09/2012 11:57 AM, Peter Lebbing wrote:
>> Suppose you would want to build from the vanilla source downloaded from
>> gnupg.org and signed by "Werner Koch (dist sig)", how would you verify
>> authenticity of that key?
>
> I don't understand where t
On 09/06/12 20:05, michael crane wrote:
> I'm using dreamhost. I appreciated that it seems quite handy to have all
> that random characters stuff outside of the message body and I was
> pointing out that it it is not universally accepted to have daemon thingys
> like finger running so limiting the
On 06/09/2012 11:57 AM, Peter Lebbing wrote:
> Suppose you would want to build from the vanilla source downloaded from
> gnupg.org and signed by "Werner Koch (dist sig)", how would you verify
> authenticity of that key?
I don't understand where this question is going. I would find some
trusted pa
On Sat, June 9, 2012 2:29 pm, Mark Rousell wrote:
>> What types of processes are forbidden by DreamHost?
>> [deletia]
>
> Err.. sorry, not following you. :-) Who is using Dreamhost and what has
> it got to do with the finger protocol? Werner doesn't seem to be using
> Dreamhost for what it's wor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09.06.2012 19:35, John wrote:
> When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure
> when it will be updated to include v2.0.19, but I was wondering
> whether there would be any problem from substituting the new
> version of gpgv2.e
When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure when it
will be updated to include v2.0.19, but I was wondering whether there would
be any problem from substituting the new version of gpgv2.exe for the older
one? Thanks.
___
Gnu
On 09/06/12 17:17, Robert J. Hansen wrote:
> My bootstrap is "I trust my Linux distribution." My distro is a trusted
> software provider, in the traditional security sense of a "trusted
> provider". If I receive software from an official Fedora repo and it is
> signed by the repo release team, th
On 06/09/2012 11:05 AM, Peter Lebbing wrote:
> your reply, I understand now you did not mean it like that. I was
> already quite puzzled about my interpretation because it didn't sound
> like you :).
Thank you for giving me the benefit of the doubt. :)
> Funnily, we're saying the same thing. You
On 09/06/12 15:44, Robert J. Hansen wrote:
> I'm not weighing in on what the mechanism should be: I don't get to declare
> what anyone else's policy should be.
I was under the impression you did. I interpreted your mail and particularly the
statement
> but this either is or isn't a proper verifi
On 06/09/2012 09:44 AM, Robert J. Hansen wrote:
>> It doesn't really matter how many Werner Kochs there are.
>
> Sure it does. As an absurdist thought experiment...
An anecdote might work better than an absurdist thought experiment, come
to think of it...
=
In the United States, the colleg
On 06/09/2012 07:21 AM, Peter Lebbing wrote:
> So how /do/ you verify that you have the distribution key for GnuPG?
By fiat. You go through some mechanism and at the completion declare,
"I am satisfied that the likelihood of this *not* being the correct
distribution key is quite low." I'm not we
On 09/06/2012 12:05, michael crane wrote:
>
> On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
>> On 07/06/2012 11:27, Werner Koch wrote:
>>> On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
>>>
>>> If you look at my OpenPGP mail header you will be pointed to a “finger”
>>> address - ent
Hi!
>> Perhaps it would be worthwhile to add a question to the signing
>> process: "Have you met this person face-to-face and verified
>> his/her identity? (y/N)" If the user answers no, display a warning
>> that the user probably wants to lsign, not to sign, and give the
>> option of making an l
On 09/06/12 02:22, Robert J. Hansen wrote:
> Some might shake their heads and say no, it's not: you only verified you were
> speaking with *a* Werner Koch who had access to *the* Werner Koch's email
> address, not that you were speaking to *the* Werner Koch.
So how /do/ you verify that you have th
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
> On 07/06/2012 11:27, Werner Koch wrote:
>> On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
>>
>> If you look at my OpenPGP mail header you will be pointed to a finger
>> address - enter it into your web browser (in case you don't know
Please consider trimming your quotes. The amount that's going on here
strikes me as pretty excessive. I'm not standing on a chair and
screaming that you're doing it wrong, of course: this is just a friendly
request to please trim your quotes. :)
> The whole idea behind the web of trust is that
On 07/06/2012 11:27, Werner Koch wrote:
> On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
>
> If you look at my OpenPGP mail header you will be pointed to a “finger”
> address - enter it into your web browser (in case you don't know what
> finger is) and you will see
Just as an aside, I
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said:
> Another thing is that downloading the key from that link you provided
> is no guarantee of safety in and of itself either because the page is
> not being hosted over SSL with confirmed identity information. So
That is not relevant. The key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07.06.2012 19:52, Robert J. Hansen wrote:
> On 6/7/12 12:32 PM, Werner Koch wrote:
>> That is actually a bit funny: I never asked anyone to sign that
>> key. Probably they deduced the correctness from my regular key
>> which I used to sign the above
20 matches
Mail list logo
