can someone verify the gnupg Fingerprint for pubkey?

Sat Jun 9 17:05:05 CEST 2012

On 09/06/12 15:44, Robert J. Hansen wrote:
> I'm not weighing in on what the mechanism should be: I don't get to declare 
> what anyone else's policy should be.

I was under the impression you did. I interpreted your mail and particularly the
statement

> but this either is or isn't a proper verification, and there's no 
> in-between.

as meaning that there is only one correct way to do a proper verification. From
your reply, I understand now you did not mean it like that. I was already quite
puzzled about my interpretation because it didn't sound like you :).

>> It doesn't really matter how many Werner Kochs there are.
> 
> Sure it does.  As an absurdist thought experiment, let's think of a nation --
> call it Kochistan.  In Kochistan, everyone is required to have the name 
> Werner Koch.  Most people in Kochistan are honest.  If you ask them if 
> they're *the* Werner Koch, they'll tell you no, they're not.

Funnily, we're saying the same thing. You yourself said you don't particularly
care if Werner Koch is actually called Horace Micklethorpe or Harry Palmer or
... Then why are you interested in the number of Werner Kochs?

The thing I'm interested in: is the source of GnuPG I downloaded actually the
program we know and love. I'm at this point not interested in the fact that
Werner Koch is a main developer of it, or what his proper name is. For all I
know his birthname indeed is Horace. He might as well have given the UID "GnuPG
dist sig" to the key, instead of "Werner Koch (dist sig)". The only reason we
are talking about "the" Werner Koch is that his name is in the UID, which might
as easily not have been. As I said, the number of Werner Kochs is insubstantial.

> I don't trust crowdsourcing to verify GnuPG.  If someone or some group 
> subverts that system my exposure might be much greater and I might not learn
>  about it for quite some time.

So how did you verify your GnuPG source? If you say "I asked a close friend", my
counterquestion is: How did he/she? What I want to know is: what bootstrapped
the confidence that the key was the proper GnuPG dist sig?

Personally, I did it by checking from a number of locations that the key making
the signature is the same from wherever I try. Also, I spread the checks over a
substantial period of time. If the website got hacked, I hoped it would come out
in that period of time. It did not at any point include the quantity of Werner
Kochs.

Now, if I wanted more satisfaction, I would indeed turn to this mailing list,
ask members whether they see the same fingerprint, and check the replies from
several locations to see that from wherever I check, the replies are identical.

Again add a little time to allow for members to write to the mailing list "Hey I
did not write that reply!" in case of impersonation. Hopefully at least one
person would notice and expose the deception.

And I do not see this process as, to quote you, "certifiably crazy" at all. It
would perhaps be if I only checked it from the same computer as where I
downloaded the source and signature and keyblock, but nowhere is it stated this
is the case.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt