can someone verify the gnupg Fingerprint for pubkey?

Robert J. Hansen rjh at sixdemonbag.org
Sat Jun 9 17:17:25 CEST 2012 

On 06/09/2012 11:05 AM, Peter Lebbing wrote:
> your reply, I understand now you did not mean it like that. I was
> already quite puzzled about my interpretation because it didn't sound
> like you :).

Thank you for giving me the benefit of the doubt.  :)

> Funnily, we're saying the same thing. You yourself said you don't
> particularly care if Werner Koch is actually called Horace
> Micklethorpe or Harry Palmer or ... Then why are you interested in
> the number of Werner Kochs?

I'm not interested in the number of Werner Kochs.  I'm interested in the
difference between *the* entity and *an* entity.  The entity that signs
these releases happens to be Werner.  But there are many entities named
Werner, so how do we know we have the certificate belonging to the
correct entity?  It's an identification problem.  Werner's only
relevance to it _qua_ himself is that we acknowledge him as the
definitive authenticator of the code: "yes, that is the code I wrote."

If we're going to rely on a definitive authenticator, shouldn't we
ensure we're actually talking to the actual authenticating entity?  :)

> So how did you verify your GnuPG source? If you say "I asked a close
> friend", my counterquestion is: How did he/she? What I want to know
> is: what bootstrapped the confidence that the key was the proper
> GnuPG dist sig?

My bootstrap is "I trust my Linux distribution."  My distro is a trusted
software provider, in the traditional security sense of a "trusted
provider".  If I receive software from an official Fedora repo and it is
signed by the repo release team, that's good enough for me.  How did I
come to trust that I have the correct certificate for the repo release
team?  Because it came on the DVD, which is my trusted bootstrap.  I
fully acknowledge this is validation by fiat.  Some people will think
it's a perfectly reasonable way of doing things.  Others will think I'm
crazy.  It's up to the individual to decide.  :)

> And I do not see this process as, to quote you, "certifiably crazy"
> at all.

And as I said, apparently you and I have completely different opinions
on whether crowdsourcing should be trusted for these matters.  And, you
know, that's okay.  :)

More information about the Gnupg-users mailing list