On 09/06/12 02:22, Robert J. Hansen wrote: > Some might shake their heads and say no, it's not: you only verified you were > speaking with *a* Werner Koch who had access to *the* Werner Koch's email > address, not that you were speaking to *the* Werner Koch.
So how /do/ you verify that you have the distribution key for GnuPG? Let's not lose sight of this specific instance of verification: that you want to know you have the GnuPG source as distributed by its authors, and not some modified version. It doesn't really matter how many Werner Kochs there are. There is always a bootstrapping problem for the trust. So at some point you'll have to satisfy yourself that you have the correct key. Crowdsourcing the knowledge seems viable, if you make sure the messages from the crowd are not altered by your attacker. And it's always a costs/benefits decision. How sure do you want to be that you have the unmodified sources? So I don't agree that it is as binary as "this is or isn't a proper verification". Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
