can someone verify the gnupg Fingerprint for pubkey?

Robert J. Hansen rjh at
Sat Jun 9 12:25:19 CEST 2012

Please consider trimming your quotes.  The amount that's going on here
strikes me as pretty excessive.  I'm not standing on a chair and
screaming that you're doing it wrong, of course: this is just a friendly
request to please trim your quotes.  :)

> The whole idea behind the web of trust is that you have met "real"
> people.

Not particularly.  The idea behind the Web of Trust is that entities can
introduce other entities.  Everything above and beyond that is just the
projection someone places upon it.

> It is a principle of the whole system that you only sign people's
> keys. The person comes first - not the key.

Not necessarily.  For instance, Symantec has a certificate they use to
sign PGP releases.  That certificate does not belong to a person but to
a corporation.  *Entities* come first, but an entity is not necessarily
a person.  Usually it is -- but it's not required to be.

> It's not the validity of keys but the validity of people.

No, it's definitely the validity of certificates that we're checking.
We can agree on how to check the validity of a certificate -- ensure the
fingerprint matches the one provided to you by the entity controlling
the certificate.  We can't agree on how to check the validity of a
person, or even what it even means to do this.  So instead we handwave
it by saying, "prove to your own satisfaction you're talking to the real
entity -- whether this means you've known the person for twenty years,
you've seen two forms of government ID, or Elvis came to you in a séance
and vouched for the person and told you he was a swell guy.

That last option is every bit as 'valid' as the other two.  How you
confirm an entity's identity is your choice, and nobody gets to decide
that policy except you.

> Most people are bound up with beliefs and behaviours. They interact
> with others on a daily basis sharing common values beliefs and
> behaviours. Under normal conditions we don't ask every one we meet
> for their passport driving license or DNA sequence. We accept it as
> the norm that people are real and valid - its the IDs they use which
> may or maybe questionable.

I don't understand what you're talking about here.  In fact, it seems
quite self-contradictory.  If someone presents themselves as being
Horace Micklethorpe, shows me ID in that name, and then I later discover
this person's real name is Harry Palmer, I'm going to understandably
accuse this person of having been inauthentic with me.

> So people on this mailing list "know" that Werner Koch is "real."

Few of us do.  I harbor some suspicion that Werner's real name is Horace
Micklethorpe.  He might also be Harry Palmer or Bob Howard.  I don't
know.  I also don't particularly *care*, either: what I care about is
what he does, not who he is.

> A public key is a static document

Certificates change over time as UIDs, UATs, signatures and subkeys are
added and revoked.  Certificates are highly dynamic documents: many of
them gain a signature a week.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120609/e20af3da/attachment.pgp>

More information about the Gnupg-users mailing list