can someone verify the gnupg Fingerprint for pubkey?

Robert J. Hansen rjh at
Sat Jun 9 02:22:39 CEST 2012

On 06/08/2012 05:37 PM, Sam Smith wrote:
> I downloaded the GnuPG program. I then ran --verify and was told that
> the key was signed with 0x4F25E3B6 key. I download 0x4F25E3B6 key from a
> key server and then asked people on this mailing list to confirm that I
> downloaded a legit key. Several people on this mailing list confirmed
> the fingerprint of this key as a legit key. I then marked the key as
> trusted because I verified the fingerprint.

I hate to give an unclear answer, but this either is or isn't a proper
verification, and there's no in-between.  Before you go about thinking
that's a pointless answer, please: I promise you that it's a completely
accurate answer, and understanding why it's accurate will help you
understand the nature of verification.

The ancient Greeks had a branch of philosophy that was concerned with
the nature of knowledge: not just what did we know, but how is it that
we knew it, and on what basis did we trust it?  This branch was called
epistemology, and verification is an epistemological question.  All
right, you have a certificate and you know it's truly Werner's release
signing certificate: but *how do you know it*?

The gold standard of such knowledge involves meeting Werner
face-to-face, checking his passport, verifying that it's a real passport
and not a forgery, receiving his certificate fingerprint directly from
him, emailing him at that address to confirm that he truly has access to
the address listed, and so forth.  If you were to do this many people on
this list would nod appreciatively and say that yes, this is a proper
verification.  Some might shake their heads and say no, it's not: you
only verified you were speaking with *a* Werner Koch who had access to
*the* Werner Koch's email address, not that you were speaking to *the*
Werner Koch.

And, you know what?  They'd be absolutely right.

Ultimately, whether a given verification process rises to the bar of
sufficiency is a personal decision.  There is no absolute standard.  As
a result of this, you can only ever rely on being able to satisfy
yourself -- there will always be people out there who believe your
verification process is insufficient.  And that's why your process
either is or isn't a proper verification, and why there's no in-between.

If you can honestly say that you understand the risks of asking the
list, that you've considered those risks and you're comfortable doing
things this way, then sign that certificate with a clear conscience and
don't let anybody tell you that you're doing it wrong.

Me, I think your process is certifiably crazy and I would never, ever do
it that way.  But you know what?  I don't get to control your
decisionmaking process and I don't think you should put any stock in my
opinion.  After all, I'm just a guy on the internet whom you've never
met.  You have no idea if I'm a bulwark of sanity or if I bark at the
moon on a regular basis.  :)

More information about the Gnupg-users mailing list