can someone verify the gnupg Fingerprint for pubkey?

Peter Lebbing peter at
Wed Jun 6 21:54:01 CEST 2012

On 06/06/12 17:58, Mika Suomalainen wrote:
>> D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
> Looks correct.
> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
> requesting key 4F25E3B6 from hkp server gpg: key
> 4F25E3B6: public key "Werner Koch (dist sig)" imported

I agree it appears he has the correct key. I did a local sig on it after what
checking I seemed to be able to do without meeting people in person.

But it's a bit unclear to me on what basis you decided it looked correct? Your
mail suggests to me that you decided that based on the fact that the UID on
that key is "Werner Koch (dist sig)". But that would be the very first thing a
potential attacker would duplicate in his effort to fool our OP. Even if he's
using MITM tricks to subvert his system, he can still post his personally
generated key to the keyserver with this UID.


PS: I briefly considered signing this message, because the attacker might MITM
my message to the OP. Then I realised what good that signature would do :).

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list