On Sun, Oct 28, 2018 at 11:39:37PM +1100, Ben McGinnes wrote: > >> Well, verifying the identity of an unknown person with some server > >> over the Inrernet is not very reliable, isn't it? > > > > In what way? I think gnupg.net is a pretty secure source to look up > > keys. There's no other way unless someone attaches/sends you there > > key to import that I know about. > > It shouldn't matter which server an OpenPGP key was obtained from, the > security and/or validity of the key is maintained by the protocol's > implementation.
IIRC this is *mostly* true--except that some versions (and some key servers) support subkeys, while others do not, and this mismatch could break verification. But aside from that, and aside from signature-related bugs like what we were just discussing in that other thread, verifying a message with GPG proves, mathematically, that the message was sent by the person whose key matches the key fingerprint indicated on the message. Nothing more, nothing less. It's up to you to confirm, either in person or by "web of trust", that the key really belongs to the person you think it does. If you're not familiar with what the web of trust is, essentially it's a mechanism that lets the user say, "I don't know who this person is and I don't trust them, but I see that their key has been signed by my good friends Jenny, Dave, and Robin, so I can assume the person really is who they say they are." This presumes that you know Jenny, Dave, and Robin, and know how dilligent they are about verifying keys, and trust that they actually did verify the identity of the unknown person. If you don't, you can choose not to trust the key as well. In-person verification generally takes the form of an exchange, in person, of the two people's public keys (which often may have been made available previously, electronically), the key fingerprint of those keys, and if necessary (i.e. you don't know the person by sight) inspecting some sort of official identification. Then, assuming all of those things match, particularly the fingerprint they gave you matches the fingerprint PGP/GPG tells you the key has, you sign the key via the command-line interface (or whatever), indicating your level of trust of that key. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpcHiRmBSK8J.pgp
Description: PGP signature