can someone verify the gnupg Fingerprint for pubkey?

Mika Suomalainen mika.henrik.mainio at hotmail.com
Thu Jun 7 17:59:44 CEST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07.06.2012 02:15, Sam Smith wrote:
> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm 
> trying to guard against.
> 
> My efforts to verify the fingerprint are the best way to do this,
> correct?
> 
> 
> 
> 
>> Date: Wed, 6 Jun 2012 21:54:01 +0200 From:
>> peter at digitalbrains.com To: gnupg-users at gnupg.org Subject: Re:
>> can someone verify the gnupg Fingerprint for pubkey?
>> 
>> On 06/06/12 17:58, Mika Suomalainen wrote:
>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
>>> Looks correct.
>>> 
>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
>>> gpg: requesting key 4F25E3B6 from hkp server
>>> pool.sks-keyservers.net gpg: key 4F25E3B6: public key "Werner
>>> Koch (dist sig)" imported
>> 
>> I agree it appears he has the correct key. I did a local sig on
>> it
> after what
>> checking I seemed to be able to do without meeting people in
>> person.
>> 
>> But it's a bit unclear to me on what basis you decided it looked
> correct? Your
>> mail suggests to me that you decided that based on the fact that
>> the
> UID on
>> that key is "Werner Koch (dist sig)". But that would be the very
>> first
> thing a
>> potential attacker would duplicate in his effort to fool our OP.
>> Even
> if he's
>> using MITM tricks to subvert his system, he can still post his
>> personally generated key to the keyserver with this UID.
>> 
>> Peter.
>> 
>> PS: I briefly considered signing this message, because the
>> attacker
> might MITM
>> my message to the OP. Then I realised what good that signature
>> would
> do :).
>> 
>> -- I use the GNU Privacy Guard (GnuPG) in combination with
>> Enigmail. You can send me encrypted mail if you want some
>> privacy. My key is available at
>> http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
>> 
>> _______________________________________________ Gnupg-users
>> mailing list Gnupg-users at gnupg.org 
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 
> _______________________________________________ Gnupg-users mailing
> list Gnupg-users at gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Oh, then you are checking wrong thing. You should be checking
signatures in key. That key looks valid to me.

```
% gpg --list-sigs D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
pub   2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
uid                  Werner Koch (dist sig)
sig          58DFC608 2011-06-11  Andrey Samokhvalov <andreysmh at ukr.net>
sig          30B94B5C 2012-02-29  楊士青 (Yang Shih-Ching)
<imacat at mail.imacat.i
dv.tw>
sig          1E42B367 2011-01-12  Werner Koch <wk at gnupg.org>
sig          3B180E81 2011-02-13  Wolf Windshadow (My personal key)
<wolfwindsha
dow at gmail.com>
sig          1CE0C630 2011-01-12  Werner Koch (dist sig) <dd9jn at gnu.org>
sig 2        2AAA5C3B 2011-01-22  Gary de Montigny (HMS)
<gary at demontigny.net>
sig 2        E3F1D8F7 2012-01-31  Javier Alonso Fernández Almirall
<javier.ferna
ndez.a at gmail.com>
sig 3        4F25E3B6 2011-01-12  Werner Koch (dist sig)
sig 1        46EB581F 2011-10-29  Stanislav Sidorenko (email&jabber)
<mail at stani
slavsidorenko.com>
sig          F80D46AB 2011-06-10  Ulf Linde <ulf.linde at armax.se>
sig          A3B53998 2011-06-14  Daniel Kraft (Graz, Austria)
<d at domob.eu>
sub   2048R/AC87C71A 2011-01-12 [expires: 2019-12-31]
sig          1CE0C630 2011-01-12  Werner Koch (dist sig) <dd9jn at gnu.org>
sig          4F25E3B6 2011-01-12  Werner Koch (dist sig)
```

- -- 
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[This signature](https://gist.github.com/2643070#file_icedove.md) ||

[Please reply below this
line](http://mkaysi.github.com/articles/complaining/topposting.html)

____________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Homepage: http://mkaysi.github.com/
Comment: gpg --keyserver pool.sks-keyservers.net 82A46728
Comment: Public key: http://mkaysi.github.com/PGP/key.txt
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0M/tAAoJEE21PP6CpGcolwcQAL/mfm/ZDaU99qwKhmyhBUd4
gs8PmDT2LZQvejiWkTMD+tm2D0yBFRcf/78UHC65RZL2pPd4Ppn9to+gy/9zU618
6KPw08ikzmZKO02Ilmql60kF8D7SQxX8snJ/Y5UkZAKYEuydfz+KWf4SvYeo/Um8
RN3OkfugrcNYT15n03av+1vk1HFtDWA5bDEvgPzkWTsdnCDz4F0jCfsitUECbb3p
hX/PMkhitkSkezI9vGTj+7TpeSbgq7QIyjrXMMaKVT8+SnvTtOe0lK0u9YbRmAYH
hjISoO+26AmKKfIdlZnGZ5K9pWil5ZjBAvL9zghPnqk6RE/P6HwIGIoJK720qDOt
CLcVZo1aO83DwEMqrbpUuoJH4LxTLLV2hlAjQWR2AyVqj64AbtoOPcuPy7Pr1ugJ
xbXU2zPbckpXCk9GNyf18uaY2IWACa4yZYdzBLUZKdvi/uIaBFMt6LgdR0X0ErO2
lt8URNYHzpP6SwhAUzqNW3EH0JoitANnUcjPf6fEF412ie+rQoOlc/WWEXaZ30Rx
+8r4liDABEHGtsfACwjzhpQUlRpHVnxnP+ZsJc5rSISBRyuH30xit7zr493lSZtH
YJVmNYshaEJYmUUaU1hu+GFn2O2ZkBXpqe+pSiHNrvVI5lrzs+QHavaAsJXgKzyQ
6RM6w6TOVtXQEkr1I7Ki
=n707
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list