can someone verify the gnupg Fingerprint for pubkey?

Peter Lebbing peter at digitalbrains.com
Sat Jun 9 13:21:46 CEST 2012


On 09/06/12 02:22, Robert J. Hansen wrote:
> Some might shake their heads and say no, it's not: you only verified you were
> speaking with *a* Werner Koch who had access to *the* Werner Koch's email
> address, not that you were speaking to *the* Werner Koch.

So how /do/ you verify that you have the distribution key for GnuPG? Let's not
lose sight of this specific instance of verification: that you want to know you
have the GnuPG source as distributed by its authors, and not some modified
version. It doesn't really matter how many Werner Kochs there are.

There is always a bootstrapping problem for the trust. So at some point you'll
have to satisfy yourself that you have the correct key. Crowdsourcing the
knowledge seems viable, if you make sure the messages from the crowd are not
altered by your attacker.

And it's always a costs/benefits decision. How sure do you want to be that you
have the unmodified sources? So I don't agree that it is as binary as "this is
or isn't a proper verification".

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list