Re: can someone verify the gnupg Fingerprint for pubkey?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07.06.2012 19:52, Robert J. Hansen wrote: On 6/7/12 12:32 PM, Werner Koch wrote: That is actually a bit funny: I never asked anyone to sign that key. Probably they deduced the correctness from my regular key which I used to sign the above key. That is not a surprise; I have seen many signatures on my keys from people I never met. Perhaps it would be worthwhile to add a question to the signing process: Have you met this person face-to-face and verified his/her identity? (y/N) If the user answers no, display a warning that the user probably wants to lsign, not to sign, and give the option of making an lsign instead. +1 to this idea. It might cut down on certifications such as these... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0wGXAAoJEE21PP6CpGcoxZQQAKDZ02aQT1wECuXhdKl54wAp O0zQ1XOgur8MpalFV5IUQGJpx9uFLIT5m6+2qsldGOpV1pnM8LPkMf6B9LJfOT9d NgwDhpQQs3KgqWo7s8ZKlNn7Kli95LivwbaTwjfrd/aFQ8etHX7m9ZPS07ALklZA cI5RncyTLJ9SS2XHP5+AXeA15PjvFJKYPUWThF9AtBDaWdTAaETBFvjApeN0vHv8 A+neBFhZaxobHbAilfZbmvV42ZtSXV8ld5+KrIVVaJgczY/kcis+GmZUWFdtHPRL DW72fTVCjnCJ5eUW0/buIDr3nL5Fr0KtkwX9vbVGl1bpS+j9WZviv0P8USW2LoTd aET7cn3ikcqXH7PYjHc7eJjccBcktjFpe9Id3qI2VvT7GGDxtMlrswDSAPbmLcKz 9aJnVjbwUB4blFYPyJrQBZK7Z+yS0dKckLBTNXIktDddbS20Y98ubRwmuNGp8+Kk Ov6kdT7lo4kUt5AuWj80OQDwz/pvcgUka3F+sY4iGPDkhi97LjWmKAr8TVzHIsZ+ inEKXPuL9ti9Kj67JmVfuQC1Ku4ZzknsdGFRd+fOLrTDzkglruIqrFYSa8YBJtsj jaNqjT7jOWRLB2Lk/m+tEMNU6UMFun6gLGA6FdeVMIVHBYbWWkiV9CtsfkZvKXNC YmyP2k9HmHTn3vROoTt3 =KE0X -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said: Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So That is not relevant. The key (correct OpenPGP term is “keyblock” but sometimes also called “certificate”) is in itself secure; the included self-signature and signatures from other people shall be used to evaluate the identity of the key owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 07/06/2012 11:27, Werner Koch wrote: On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: If you look at my OpenPGP mail header you will be pointed to a “finger” address - enter it into your web browser (in case you don't know what finger is) and you will see Just as an aside, I presume you are referring to this header line: OpenPGP: id=1E42B367; url=finger:w...@g10code.com Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client installed (that their browser would be able to find)? -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Please consider trimming your quotes. The amount that's going on here strikes me as pretty excessive. I'm not standing on a chair and screaming that you're doing it wrong, of course: this is just a friendly request to please trim your quotes. :) The whole idea behind the web of trust is that you have met real people. Not particularly. The idea behind the Web of Trust is that entities can introduce other entities. Everything above and beyond that is just the projection someone places upon it. It is a principle of the whole system that you only sign people's keys. The person comes first - not the key. Not necessarily. For instance, Symantec has a certificate they use to sign PGP releases. That certificate does not belong to a person but to a corporation. *Entities* come first, but an entity is not necessarily a person. Usually it is -- but it's not required to be. It's not the validity of keys but the validity of people. No, it's definitely the validity of certificates that we're checking. We can agree on how to check the validity of a certificate -- ensure the fingerprint matches the one provided to you by the entity controlling the certificate. We can't agree on how to check the validity of a person, or even what it even means to do this. So instead we handwave it by saying, prove to your own satisfaction you're talking to the real entity -- whether this means you've known the person for twenty years, you've seen two forms of government ID, or Elvis came to you in a séance and vouched for the person and told you he was a swell guy. That last option is every bit as 'valid' as the other two. How you confirm an entity's identity is your choice, and nobody gets to decide that policy except you. Most people are bound up with beliefs and behaviours. They interact with others on a daily basis sharing common values beliefs and behaviours. Under normal conditions we don't ask every one we meet for their passport driving license or DNA sequence. We accept it as the norm that people are real and valid - its the IDs they use which may or maybe questionable. I don't understand what you're talking about here. In fact, it seems quite self-contradictory. If someone presents themselves as being Horace Micklethorpe, shows me ID in that name, and then I later discover this person's real name is Harry Palmer, I'm going to understandably accuse this person of having been inauthentic with me. So people on this mailing list know that Werner Koch is real. Few of us do. I harbor some suspicion that Werner's real name is Horace Micklethorpe. He might also be Harry Palmer or Bob Howard. I don't know. I also don't particularly *care*, either: what I care about is what he does, not who he is. A public key is a static document Certificates change over time as UIDs, UATs, signatures and subkeys are added and revoked. Certificates are highly dynamic documents: many of them gain a signature a week. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote: On 07/06/2012 11:27, Werner Koch wrote: On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: If you look at my OpenPGP mail header you will be pointed to a finger address - enter it into your web browser (in case you don't know what finger is) and you will see Just as an aside, I presume you are referring to this header line: OpenPGP: id=1E42B367; url=finger:w...@g10code.com Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client installed (that their browser would be able to find)? also What types of processes are forbidden by DreamHost? IRC-related persistent processes of any kind (including, but not limited to, bots, bouncers, etc.) are STRICTLY PROHIBITED, and are in violation of the Terms of Service. BitTorrent-related processes are not allowed. Streaming Audio or Video servers of any kind are not allowed on shared hosting servers. Voice chat or VoIP servers like Asterisk, Ventrilo and TeamSpeak are not permitted. Game servers (CounterStrike, WoW, BF2, etc.) are also not permitted. Proxy style tunnels such as Tor cannot be run. Alternate services and daemons (Finger, OpenLDAP, memcached, etc.) as well as daemonized version of current services (PHP, httpd, etc.) may not be run. Cron Jobs, Crontabs are allowed provided you don't use excessive system resources. mick -- keyID: 0x4BFEBB31 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 02:22, Robert J. Hansen wrote: Some might shake their heads and say no, it's not: you only verified you were speaking with *a* Werner Koch who had access to *the* Werner Koch's email address, not that you were speaking to *the* Werner Koch. So how /do/ you verify that you have the distribution key for GnuPG? Let's not lose sight of this specific instance of verification: that you want to know you have the GnuPG source as distributed by its authors, and not some modified version. It doesn't really matter how many Werner Kochs there are. There is always a bootstrapping problem for the trust. So at some point you'll have to satisfy yourself that you have the correct key. Crowdsourcing the knowledge seems viable, if you make sure the messages from the crowd are not altered by your attacker. And it's always a costs/benefits decision. How sure do you want to be that you have the unmodified sources? So I don't agree that it is as binary as this is or isn't a proper verification. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
Hi! Perhaps it would be worthwhile to add a question to the signing process: Have you met this person face-to-face and verified his/her identity? (y/N) If the user answers no, display a warning that the user probably wants to lsign, not to sign, and give the option of making an lsign instead. +1 to this idea. Isn't that what --ask-cert-level is for? cu, Paeniteo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/2012 12:05, michael crane wrote: On Sat, June 9, 2012 10:28 am, Mark Rousell wrote: On 07/06/2012 11:27, Werner Koch wrote: On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said: If you look at my OpenPGP mail header you will be pointed to a “finger” address - enter it into your web browser (in case you don't know what finger is) and you will see Just as an aside, I presume you are referring to this header line: OpenPGP: id=1E42B367; url=finger:w...@g10code.com Do you know of any common modern browsers that have finger protocol support built in? I wonder, how many people even have a finger client installed (that their browser would be able to find)? also What types of processes are forbidden by DreamHost? [deletia] Err.. sorry, not following you. :-) Who is using Dreamhost and what has it got to do with the finger protocol? Werner doesn't seem to be using Dreamhost for what it's worth. Anyway, I admit that my comment about the finger protocol is not exactly on-topic but I was just curious about Werner's assumption that the protocol would be meaningful to an arbitrary browser. For example, even though I've got a command line finger client on my system none of my installed browsers know about it. I'd have to manually add a system mapping for the finger: protocol (and even then I'd also have to add a wrapper to open the finger client in a persistent shell so I could see the results). -- MarkR PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 07:21 AM, Peter Lebbing wrote: So how /do/ you verify that you have the distribution key for GnuPG? By fiat. You go through some mechanism and at the completion declare, I am satisfied that the likelihood of this *not* being the correct distribution key is quite low. I'm not weighing in on what the mechanism should be: I don't get to declare what anyone else's policy should be. It doesn't really matter how many Werner Kochs there are. Sure it does. As an absurdist thought experiment, let's think of a nation -- call it Kochistan. In Kochistan, everyone is required to have the name Werner Koch. Most people in Kochistan are honest. If you ask them if they're *the* Werner Koch, they'll tell you no, they're not. Some people in Kochistan are dishonest. If you ask them if they're *the* Werner Koch they will quickly tell you yes, create a certificate with the same UID on it as the one which signs GnuPG releases, and give you the fingerprint for *that* certificate. This Werner Koch will then call his cousin (also named Werner Koch) who runs an organized crime outfit, and will tell him that if he can Trojan a copy of GnuPG that you'll be happy to install it because you're under the impression that he (Werner-who-is-not-our-Werner) is him (Werner-who-is-our-Werner). There's a big difference between being *the* person and being *a* person. :) Crowdsourcing the knowledge seems viable, if you make sure the messages from the crowd are not altered by your attacker. I'll trust crowdsourcing to find me good restaurants in my neighborhood. If someone (or some group) subverts that system then I'm out a few bucks for a meal that doesn't taste very good and I know not to trust that restaurant review website again. And I learn about this really quickly, too -- all it takes is one or two bad meals and I've moved on to find a better source for restaurant reviews. I don't trust crowdsourcing to verify GnuPG. If someone or some group subverts that system my exposure might be much greater and I might not learn about it for quite some time. And it's always a costs/benefits decision. How sure do you want to be that you have the unmodified sources? So I don't agree that it is as binary as this is or isn't a proper verification. Well -- not to be rude, but you did. As you said, at some point you'll have to satisfy yourself that you have the correct key. The process you use to satisfy yourself will by definition satisfy yourself: that makes it a proper verification. But if you satisfy it by a process that other people consider insufficient or deeply unhinged (in the case of the séance with Elvis), they will say that it is *not* sufficient and that makes it an improper verification. Verification is inherently subjective. A verification can simultaneously be sufficient and insufficient -- sufficient for yourself but not others, insufficient for yourself but not others, and so on. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 09:44 AM, Robert J. Hansen wrote: It doesn't really matter how many Werner Kochs there are. Sure it does. As an absurdist thought experiment... An anecdote might work better than an absurdist thought experiment, come to think of it... = In the United States, the collegiate basketball championships are the occasion for a lot of betting. People stake wagers on which teams will make the semifinals (the Sweet Sixteen) and the playoffs (the Final Four). As you might expect, a lot of people try to get some kind of inside information -- they might have a cousin who plays for one team and their cousin says the University of Nevada at Las Vegas is the one to look out for or something. Whenever you've got gamblers you'll have people who try to get inside information or expert advice. The University of Iowa's color-commentator for their basketball games is a great guy -- I met him a couple of times, once when he was playing ball for UI and a couple of times when I was a grad student at UI. He's also a legend in professional basketball, having replaced Michael Jordan in the 1992 NBA Finals while the Bulls were down by 15 and rallying them to a 97-93 win. Anyone who can not only replace Michael Jordan in a game, but replace him *and* rally the score, is a deservedly legendary figure. We have the same name, we're both University of Iowa graduates, and we both have a lot of family in Des Moines. We both answer to Bob Hansen. (I prefer Rob, but I'll answer to Bob or Robert.) Even our middle initials are similar: he's Robert L. Hansen and I'm Robert J. Hansen. It doesn't take a bad case of dyslexia to get those initials reversed. So during Final Four season when people look around for the Bob Hansen who attended the University of Iowa... well, sometimes they get me. Are you Bob Hansen? Yes, I am. Did you attend the University of Iowa? Yep! Are you *that* Bob Hansen who attended the University of Iowa? Bob Hansen from Des Moines? Well, I'm not actually from Des Moines, no, but yes, I have a lot of family there. OH MY GOD I CAN'T BELIEVE I FOUND YOU. Quick! Who are your Final Four picks? And are you still tight with Magic Johnson and Michael Jordan? Verification is a hard problem. Even when dealing with someone who is giving *completely honest answers*, it's still easy to confuse *a* Bob Hansen for *the* Bob Hansen. And when it comes to getting good Final Four picks, you really want *the* Bob Hansen, and not me. I've seen a total of two basketball games in my life. Likewise, you want *the* Werner Koch, not *a* Werner Koch. When it comes to getting a correct copy of GnuPG, you really want his certificate and not some other Werner Koch's! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 15:44, Robert J. Hansen wrote: I'm not weighing in on what the mechanism should be: I don't get to declare what anyone else's policy should be. I was under the impression you did. I interpreted your mail and particularly the statement but this either is or isn't a proper verification, and there's no in-between. as meaning that there is only one correct way to do a proper verification. From your reply, I understand now you did not mean it like that. I was already quite puzzled about my interpretation because it didn't sound like you :). It doesn't really matter how many Werner Kochs there are. Sure it does. As an absurdist thought experiment, let's think of a nation -- call it Kochistan. In Kochistan, everyone is required to have the name Werner Koch. Most people in Kochistan are honest. If you ask them if they're *the* Werner Koch, they'll tell you no, they're not. Funnily, we're saying the same thing. You yourself said you don't particularly care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or ... Then why are you interested in the number of Werner Kochs? The thing I'm interested in: is the source of GnuPG I downloaded actually the program we know and love. I'm at this point not interested in the fact that Werner Koch is a main developer of it, or what his proper name is. For all I know his birthname indeed is Horace. He might as well have given the UID GnuPG dist sig to the key, instead of Werner Koch (dist sig). The only reason we are talking about the Werner Koch is that his name is in the UID, which might as easily not have been. As I said, the number of Werner Kochs is insubstantial. I don't trust crowdsourcing to verify GnuPG. If someone or some group subverts that system my exposure might be much greater and I might not learn about it for quite some time. So how did you verify your GnuPG source? If you say I asked a close friend, my counterquestion is: How did he/she? What I want to know is: what bootstrapped the confidence that the key was the proper GnuPG dist sig? Personally, I did it by checking from a number of locations that the key making the signature is the same from wherever I try. Also, I spread the checks over a substantial period of time. If the website got hacked, I hoped it would come out in that period of time. It did not at any point include the quantity of Werner Kochs. Now, if I wanted more satisfaction, I would indeed turn to this mailing list, ask members whether they see the same fingerprint, and check the replies from several locations to see that from wherever I check, the replies are identical. Again add a little time to allow for members to write to the mailing list Hey I did not write that reply! in case of impersonation. Hopefully at least one person would notice and expose the deception. And I do not see this process as, to quote you, certifiably crazy at all. It would perhaps be if I only checked it from the same computer as where I downloaded the source and signature and keyblock, but nowhere is it stated this is the case. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 11:05 AM, Peter Lebbing wrote: your reply, I understand now you did not mean it like that. I was already quite puzzled about my interpretation because it didn't sound like you :). Thank you for giving me the benefit of the doubt. :) Funnily, we're saying the same thing. You yourself said you don't particularly care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or ... Then why are you interested in the number of Werner Kochs? I'm not interested in the number of Werner Kochs. I'm interested in the difference between *the* entity and *an* entity. The entity that signs these releases happens to be Werner. But there are many entities named Werner, so how do we know we have the certificate belonging to the correct entity? It's an identification problem. Werner's only relevance to it _qua_ himself is that we acknowledge him as the definitive authenticator of the code: yes, that is the code I wrote. If we're going to rely on a definitive authenticator, shouldn't we ensure we're actually talking to the actual authenticating entity? :) So how did you verify your GnuPG source? If you say I asked a close friend, my counterquestion is: How did he/she? What I want to know is: what bootstrapped the confidence that the key was the proper GnuPG dist sig? My bootstrap is I trust my Linux distribution. My distro is a trusted software provider, in the traditional security sense of a trusted provider. If I receive software from an official Fedora repo and it is signed by the repo release team, that's good enough for me. How did I come to trust that I have the correct certificate for the repo release team? Because it came on the DVD, which is my trusted bootstrap. I fully acknowledge this is validation by fiat. Some people will think it's a perfectly reasonable way of doing things. Others will think I'm crazy. It's up to the individual to decide. :) And I do not see this process as, to quote you, certifiably crazy at all. And as I said, apparently you and I have completely different opinions on whether crowdsourcing should be trusted for these matters. And, you know, that's okay. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 17:17, Robert J. Hansen wrote: My bootstrap is I trust my Linux distribution. My distro is a trusted software provider, in the traditional security sense of a trusted provider. If I receive software from an official Fedora repo and it is signed by the repo release team, that's good enough for me. Suppose you would want to build from the vanilla source downloaded from gnupg.org and signed by Werner Koch (dist sig), how would you verify authenticity of that key? I also just trust the Debian repo for my software. Unfortunately, the problem is just transferred to the signature on the ISO I download to install Debian on a new system. I do the same: download the sig from various places and compare the issuer. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Gpg4win
When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure when it will be updated to include v2.0.19, but I was wondering whether there would be any problem from substituting the new version of gpgv2.exe for the older one? Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09.06.2012 19:35, John wrote: When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure when it will be updated to include v2.0.19, but I was wondering whether there would be any problem from substituting the new version of gpgv2.exe for the older one? Thanks. I think that you should ask on gpg4win-users...@wald.intevation.org . It's linked at http://www.gpg4win.org/community.html . - -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) || [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP034UAAoJEE21PP6CpGcozQ0P/jQ9SXbmKWciZGcIdqUF23p3 /ZHCfHwN+fNaqg+EP2xamIgbHBwfOV1yocMRmwW0I5b8nd8PYmtSIZR6+VvYmBcs KjYz5V5vNuzKayAMa4A1zeBN7Y1iQOhPUa73LE7lhzsbVtmlbUEhDgQBcggQf8W9 gUHkTkZUTQnjbBvxN9541Z2snVa87+q7mLKI1SUQ5XzUqK9FkZX5oa4F1Zokf3oC vRg2oe7trMG8uSdPmqBUNu0uhwJCj2V4zqfDHosVythQit4hXX4Y07/zG5Q9I7zb HWsjnV+OF0na08H+/5k/TTBuG5zP4YMROR5KDz7LJNdHGTMQZOx0LcLVZ19E/iua 4jx/9aQy+ofmBiqxmNxX7cMs7qVaiMB5GD8jR6P/kEcI0yTiAQcmKZxPyUE0sCS3 /bD/2SmaQa24jmeeLTepvhOti6EH5uiOzppz0NwmDl9Eqyxnc2N2SpDtnylIh2Bd 7n/4aDDq9UAxG2OvgHuqFXzm8z7rUk5QONWhd+6g/6fvfTz7xmOR4L6Eyfuk8cHG mBSyrx2T2+QGRnheuBnMPXNSuvGaujeJDaz/auatRKJqAi3uQlN9pR9zi1Ah2Czr YEdo3u4sJnBlqbo55bcLvcubM042ZFG9uzn5cLOyl0ZLB2q1rU7f1vLQT/5JD7f6 wDHhRoBY+l2LTK2hpyYm =9onp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On Sat, June 9, 2012 2:29 pm, Mark Rousell wrote: snipped What types of processes are forbidden by DreamHost? [deletia] Err.. sorry, not following you. :-) Who is using Dreamhost and what has it got to do with the finger protocol? Werner doesn't seem to be using Dreamhost for what it's worth. snipped I'm using dreamhost. I appreciated that it seems quite handy to have all that random characters stuff outside of the message body and I was pointing out that it it is not universally accepted to have daemon thingys like finger running so limiting the take up. cheers mick -- keyID: 0x4BFEBB31 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 06/09/2012 11:57 AM, Peter Lebbing wrote: Suppose you would want to build from the vanilla source downloaded from gnupg.org and signed by Werner Koch (dist sig), how would you verify authenticity of that key? I don't understand where this question is going. I would find some trusted path, obviously. If I contact the maintainer and am told, I download packages and check they are signed with this fingerprint ID, well, then I'm already transitively validating-by-fiat that fingerprint ID. If instead I'm told, I've personally met the GnuPG release authority (i.e., Werner) and have signed that certificate, then the release certificate is validated because it is certified by a trusted introducer. If I'm told beats me, Elvis comes to me in a séance and gives me all my answers, then I would have to find some other means. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 20:05, michael crane wrote: I'm using dreamhost. I appreciated that it seems quite handy to have all that random characters stuff outside of the message body and I was pointing out that it it is not universally accepted to have daemon thingys like finger running so limiting the take up. To get the public key through finger, you don't need to have a finger daemon running, you only need the finger client. Werner is the one having the finger daemon running. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 09/06/12 20:47, Robert J. Hansen wrote: On 06/09/2012 11:57 AM, Peter Lebbing wrote: Suppose you would want to build from the vanilla source downloaded from gnupg.org and signed by Werner Koch (dist sig), how would you verify authenticity of that key? I don't understand where this question is going. I would find some trusted path, obviously. If I contact the maintainer and am told, I download packages and check they are signed with this fingerprint ID, well, then I'm already transitively validating-by-fiat that fingerprint ID. Where the question is going is rather simple: what would you recommend Joe Average User to do to verify the authenticity of the GnuPG source he downloaded, not questioning his desire to build from that source. Contacting the package maintainer of your Linux distribution seems a good method. You could ask them to sign the dist sig instead, and publish it on the keyserver. Then anybody who trusts the distribution will be able to infer trust for the dist sig. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can someone verify the gnupg Fingerprint for pubkey?
On 6/9/2012 4:14 PM, Peter Lebbing wrote: Where the question is going is rather simple: what would you recommend Joe Average User to do to verify the authenticity of the GnuPG source he downloaded, not questioning his desire to build from that source. Ah, I see. I apologize for not understanding sooner: I thought you were trying to illustrate a point. I'm generally not comfortable giving advice about what people should do. I'm comfortable making factual statements, presenting options, talking about my own practices or giving perspectives, but I really want to avoid the recommending-what-people-should-do route. I'm not comfortable with that, not unless I'm billing by the hour and have a liability waiver signed in blood. :) That said, I have found it useful as a general principle to avoid introducing new points of fiat validity. When possible, new sources should be certified through existing validated certificates. Considering my points of fiat validity and minimizing their number has always served me well. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users