can someone verify the gnupg Fingerprint for pubkey?

Mika Suomalainen mika.henrik.mainio at
Thu Jun 7 17:59:44 CEST 2012

Hash: SHA1

On 07.06.2012 02:15, Sam Smith wrote:
> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm 
> trying to guard against.
> My efforts to verify the fingerprint are the best way to do this,
> correct?
>> Date: Wed, 6 Jun 2012 21:54:01 +0200 From:
>> peter at To: gnupg-users at Subject: Re:
>> can someone verify the gnupg Fingerprint for pubkey?
>> On 06/06/12 17:58, Mika Suomalainen wrote:
>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
>>> Looks correct.
>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
>>> gpg: requesting key 4F25E3B6 from hkp server
>>> gpg: key 4F25E3B6: public key "Werner
>>> Koch (dist sig)" imported
>> I agree it appears he has the correct key. I did a local sig on
>> it
> after what
>> checking I seemed to be able to do without meeting people in
>> person.
>> But it's a bit unclear to me on what basis you decided it looked
> correct? Your
>> mail suggests to me that you decided that based on the fact that
>> the
> UID on
>> that key is "Werner Koch (dist sig)". But that would be the very
>> first
> thing a
>> potential attacker would duplicate in his effort to fool our OP.
>> Even
> if he's
>> using MITM tricks to subvert his system, he can still post his
>> personally generated key to the keyserver with this UID.
>> Peter.
>> PS: I briefly considered signing this message, because the
>> attacker
> might MITM
>> my message to the OP. Then I realised what good that signature
>> would
> do :).
>> -- I use the GNU Privacy Guard (GnuPG) in combination with
>> Enigmail. You can send me encrypted mail if you want some
>> privacy. My key is available at
>> _______________________________________________ Gnupg-users
>> mailing list Gnupg-users at 
> _______________________________________________ Gnupg-users mailing
> list Gnupg-users at 

Oh, then you are checking wrong thing. You should be checking
signatures in key. That key looks valid to me.

% gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
pub   2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
uid                  Werner Koch (dist sig)
sig          58DFC608 2011-06-11  Andrey Samokhvalov <andreysmh at>
sig          30B94B5C 2012-02-29  楊士青 (Yang Shih-Ching)
<imacat at mail.imacat.i>
sig          1E42B367 2011-01-12  Werner Koch <wk at>
sig          3B180E81 2011-02-13  Wolf Windshadow (My personal key)
dow at>
sig          1CE0C630 2011-01-12  Werner Koch (dist sig) <dd9jn at>
sig 2        2AAA5C3B 2011-01-22  Gary de Montigny (HMS)
<gary at>
sig 2        E3F1D8F7 2012-01-31  Javier Alonso Fernández Almirall
ndez.a at>
sig 3        4F25E3B6 2011-01-12  Werner Koch (dist sig)
sig 1        46EB581F 2011-10-29  Stanislav Sidorenko (email&jabber)
<mail at stani>
sig          F80D46AB 2011-06-10  Ulf Linde < at>
sig          A3B53998 2011-06-14  Daniel Kraft (Graz, Austria)
<d at>
sub   2048R/AC87C71A 2011-01-12 [expires: 2019-12-31]
sig          1CE0C630 2011-01-12  Werner Koch (dist sig) <dd9jn at>
sig          4F25E3B6 2011-01-12  Werner Koch (dist sig)

- -- 
[Mika Suomalainen]( ||
[gpg --keyserver --recv-keys
4DB53CFE82A46728]( ||
[Why do I sign my
emails?]( ||
[Please don't send
HTML.]( ||
[This signature]( ||

[Please reply below this

Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Homepage:
Comment: gpg --keyserver 82A46728
Comment: Public key:
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list