can someone verify the gnupg Fingerprint for pubkey?

Thu Jun 7 12:27:00 CEST 2012

On Wed,  6 Jun 2012 21:54, peter at digitalbrains.com said:

> But it's a bit unclear to me on what basis you decided it looked correct? Your
> mail suggests to me that you decided that based on the fact that the UID on
> that key is "Werner Koch (dist sig)". But that would be the very first thing a

If you look at my OpenPGP mail header you will be pointed to a “finger”
address - enter it into your web browser (in case you don't know what
finger is) and you will see

    pub   2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
    uid                  Werner Koch <wk at gnupg.org>
    uid                  Werner Koch <XX at g10code.com>
    sub   2048R/FA8FE1F9 2008-03-21 [expires: 2011-12-30]
    sub   1024D/77F95F95 2011-11-02
    sub   2048R/C193565B 2011-11-07 [expires: 2013-12-31]

    pub   2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
    uid                  Werner Koch (dist sig)
    sub   2048R/AC87C71A 2011-01-12 [expires: 2019-12-31]

    pub   1024R/1CE0C630 2006-01-01 [expired: 2011-06-30]
    uid                  Werner Koch (dist sig) <dd9jn at gnu.org>

    pub   1024D/57548DCD 1998-07-07 [expired: 2005-12-31]
    uid                  Werner Koch (gnupg sig) <dd9jn at gnu.org>

  1E42B367 is my standard key [encrypt and sign; use this one].

  4F25E3B6 is used to sign software distributions [sign only].

  5B0358A2 was used as my key until it expired on 2011-07-11;
           it has been superseded by 1E42B367
  1CE0C630 was used to sign software distributions [sign only];
           it has been superseded by 4F25E3B6.
  57548DCD was used to sign software distributions [sign only];
           it has been superseded by 1CE0C630.

  Please note that I use a subkey for signing messages; some old OpenPGP
  implementations may not be able to check such a signature. The primary
  key is stored at a more or less secure place and only used on a spare
  laptop which is not connected to any network. If you find a key
  certified by this one, you can be sure that I personally met this
  person and checked the name part of the user ID against an official
  looking passport or another suitable photo id.  My signature does not
  say anything about the email address (I merely check that the address
  looks plausible).

followed by a public key block.  If you check the signatures of the
current dist signing key (gpg --check-sigs 4F25E3B6):

  pub   2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
  uid                  Werner Koch (dist sig)
  sig!3        4F25E3B6 2011-01-12  Werner Koch (dist sig)
  sig!         1CE0C630 2011-01-12  Werner Koch (dist sig) <dd9jn at gnu.org>
  sig!         1E42B367 2011-01-12  Werner Koch <wk at gnupg.org>
  [...]

you will notice that the key has in addition to the required
self-signature (note the “sig!3” line with the same key ID as the “pub"
line) a signature from the former dist signing key (1CE0C630), and one
From my regular key 1E42B367.  Now check the my regular key and you will
notice that it is very well connected in the the Web of Trust.

Shalom-Salam,

   Werner

p.s.

If you wonder about the subkey of the dist sig key:  It is used for
ssh and, due to the “A” usage, ignored by gpg:

  $ gpg2 --edit-key --batch 4F25E3B6 quit
  Secret key is available.

  pub  2048R/4F25E3B6  created: 2011-01-12  expires: 2019-12-31  usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/AC87C71A  created: 2011-01-12  expires: 2019-12-31  usage: A   
  [ultimate] (1). Werner Koch (dist sig)

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 203 bytes
Desc: not available
URL: </pipermail/attachments/20120607/95f4528a/attachment.pgp>