can someone verify the gnupg Fingerprint for pubkey?

Robert J. Hansen rjh at
Sat Jun 9 15:44:06 CEST 2012

On 06/09/2012 07:21 AM, Peter Lebbing wrote:
> So how /do/ you verify that you have the distribution key for GnuPG?

By fiat.  You go through some mechanism and at the completion declare,
"I am satisfied that the likelihood of this *not* being the correct
distribution key is quite low."  I'm not weighing in on what the
mechanism should be: I don't get to declare what anyone else's policy
should be.

> It doesn't really matter how many Werner Kochs there are.

Sure it does.  As an absurdist thought experiment, let's think of a
nation -- call it Kochistan.  In Kochistan, everyone is required to have
the name Werner Koch.  Most people in Kochistan are honest.  If you ask
them if they're *the* Werner Koch, they'll tell you no, they're not.

Some people in Kochistan are dishonest.  If you ask them if they're
*the* Werner Koch they will quickly tell you yes, create a certificate
with the same UID on it as the one which signs GnuPG releases, and give
you the fingerprint for *that* certificate.  This Werner Koch will then
call his cousin (also named Werner Koch) who runs an organized crime
outfit, and will tell him that if he can Trojan a copy of GnuPG that
you'll be happy to install it because you're under the impression that
he (Werner-who-is-not-our-Werner) is him (Werner-who-is-our-Werner).

There's a big difference between being *the* person and being *a*
person.  :)

> Crowdsourcing the knowledge seems viable, if you make sure the
> messages from the crowd are not altered by your attacker.

I'll trust crowdsourcing to find me good restaurants in my neighborhood.
 If someone (or some group) subverts that system then I'm out a few
bucks for a meal that doesn't taste very good and I know not to trust
that restaurant review website again.  And I learn about this really
quickly, too -- all it takes is one or two bad meals and I've moved on
to find a better source for restaurant reviews.

I don't trust crowdsourcing to verify GnuPG.  If someone or some group
subverts that system my exposure might be much greater and I might not
learn about it for quite some time.

> And it's always a costs/benefits decision. How sure do you want to be
> that you have the unmodified sources? So I don't agree that it is as
> binary as "this is or isn't a proper verification".

Well -- not to be rude, but you did.  As you said, "at some point you'll
have to satisfy yourself that you have the correct key."  The process
you use to satisfy yourself will by definition satisfy yourself: that
makes it a proper verification.  But if you satisfy it by a process that
other people consider insufficient or deeply unhinged (in the case of
the séance with Elvis), they will say that it is *not* sufficient and
that makes it an improper verification.

Verification is inherently subjective.  A verification can
simultaneously be sufficient and insufficient -- sufficient for yourself
but not others, insufficient for yourself but not others, and so on.

More information about the Gnupg-users mailing list