-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07.06.2012 19:52, Robert J. Hansen wrote:
On 6/7/12 12:32 PM, Werner Koch wrote:
That is actually a bit funny: I never asked anyone to sign that
key. Probably they deduced the correctness from my regular key
which I used to sign the above key.
On Fri, 8 Jun 2012 23:41, smick...@hotmail.com said:
Another thing is that downloading the key from that link you provided
is no guarantee of safety in and of itself either because the page is
not being hosted over SSL with confirmed identity information. So
That is not relevant. The key
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your web browser (in case you don't know what
finger is) and you will see
Just as an aside, I
Please consider trimming your quotes. The amount that's going on here
strikes me as pretty excessive. I'm not standing on a chair and
screaming that you're doing it wrong, of course: this is just a friendly
request to please trim your quotes. :)
The whole idea behind the web of trust is that
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a finger
address - enter it into your web browser (in case you don't know what
On 09/06/12 02:22, Robert J. Hansen wrote:
Some might shake their heads and say no, it's not: you only verified you were
speaking with *a* Werner Koch who had access to *the* Werner Koch's email
address, not that you were speaking to *the* Werner Koch.
So how /do/ you verify that you have the
Hi!
Perhaps it would be worthwhile to add a question to the signing
process: Have you met this person face-to-face and verified
his/her identity? (y/N) If the user answers no, display a warning
that the user probably wants to lsign, not to sign, and give the
option of making an lsign
On 09/06/2012 12:05, michael crane wrote:
On Sat, June 9, 2012 10:28 am, Mark Rousell wrote:
On 07/06/2012 11:27, Werner Koch wrote:
On Wed, 6 Jun 2012 21:54, pe...@digitalbrains.com said:
If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your
On 06/09/2012 07:21 AM, Peter Lebbing wrote:
So how /do/ you verify that you have the distribution key for GnuPG?
By fiat. You go through some mechanism and at the completion declare,
I am satisfied that the likelihood of this *not* being the correct
distribution key is quite low. I'm not
On 06/09/2012 09:44 AM, Robert J. Hansen wrote:
It doesn't really matter how many Werner Kochs there are.
Sure it does. As an absurdist thought experiment...
An anecdote might work better than an absurdist thought experiment, come
to think of it...
=
In the United States, the
On 09/06/12 15:44, Robert J. Hansen wrote:
I'm not weighing in on what the mechanism should be: I don't get to declare
what anyone else's policy should be.
I was under the impression you did. I interpreted your mail and particularly the
statement
but this either is or isn't a proper
On 06/09/2012 11:05 AM, Peter Lebbing wrote:
your reply, I understand now you did not mean it like that. I was
already quite puzzled about my interpretation because it didn't sound
like you :).
Thank you for giving me the benefit of the doubt. :)
Funnily, we're saying the same thing. You
On 09/06/12 17:17, Robert J. Hansen wrote:
My bootstrap is I trust my Linux distribution. My distro is a trusted
software provider, in the traditional security sense of a trusted
provider. If I receive software from an official Fedora repo and it is
signed by the repo release team, that's
When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure when it
will be updated to include v2.0.19, but I was wondering whether there would
be any problem from substituting the new version of gpgv2.exe for the older
one? Thanks.
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09.06.2012 19:35, John wrote:
When I installed Gpg4win, it came with GnuPG v2.0.17. I am not sure
when it will be updated to include v2.0.19, but I was wondering
whether there would be any problem from substituting the new
version of gpgv2.exe
On Sat, June 9, 2012 2:29 pm, Mark Rousell wrote:
snipped
What types of processes are forbidden by DreamHost?
[deletia]
Err.. sorry, not following you. :-) Who is using Dreamhost and what has
it got to do with the finger protocol? Werner doesn't seem to be using
Dreamhost for what it's
On 06/09/2012 11:57 AM, Peter Lebbing wrote:
Suppose you would want to build from the vanilla source downloaded from
gnupg.org and signed by Werner Koch (dist sig), how would you verify
authenticity of that key?
I don't understand where this question is going. I would find some
trusted path,
On 09/06/12 20:05, michael crane wrote:
I'm using dreamhost. I appreciated that it seems quite handy to have all
that random characters stuff outside of the message body and I was
pointing out that it it is not universally accepted to have daemon thingys
like finger running so limiting the
On 09/06/12 20:47, Robert J. Hansen wrote:
On 06/09/2012 11:57 AM, Peter Lebbing wrote:
Suppose you would want to build from the vanilla source downloaded from
gnupg.org and signed by Werner Koch (dist sig), how would you verify
authenticity of that key?
I don't understand where this
On 6/9/2012 4:14 PM, Peter Lebbing wrote:
Where the question is going is rather simple: what would you
recommend Joe Average User to do to verify the authenticity of the
GnuPG source he downloaded, not questioning his desire to build from
that source.
Ah, I see. I apologize for not
20 matches
Mail list logo
