can someone verify the gnupg Fingerprint for pubkey?

Thu Jun 7 01:15:59 CEST 2012

yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against. 

My efforts to verify the fingerprint are the best way to do this, correct?

> Date: Wed, 6 Jun 2012 21:54:01 +0200
> From: peter at digitalbrains.com
> To: gnupg-users at gnupg.org
> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> 
> On 06/06/12 17:58, Mika Suomalainen wrote:
> >> D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
> > Looks correct.
> > 
> > ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
> > requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key
> > 4F25E3B6: public key "Werner Koch (dist sig)" imported
> 
> I agree it appears he has the correct key. I did a local sig on it after what
> checking I seemed to be able to do without meeting people in person.
> 
> But it's a bit unclear to me on what basis you decided it looked correct? Your
> mail suggests to me that you decided that based on the fact that the UID on
> that key is "Werner Koch (dist sig)". But that would be the very first thing a
> potential attacker would duplicate in his effort to fool our OP. Even if he's
> using MITM tricks to subvert his system, he can still post his personally
> generated key to the keyserver with this UID.
> 
> Peter.
> 
> PS: I briefly considered signing this message, because the attacker might MITM
> my message to the OP. Then I realised what good that signature would do :).
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120606/5881d135/attachment.htm>