can someone verify the gnupg Fingerprint for pubkey?

Sun Jun 10 15:59:00 CEST 2012

Okay. So please let me know if I understand correctly what I am supposed to do (or what you guys are recommending be done) with key signing:

I downloaded the GnuPG program and ran gpg --verify. I am told the keyID that signed the program. I download that KeyID from a keyserver. I now ask people on this list to verify the fingerprint of the key I got from the keyserver as a legit key. (So far this behavior is okay, right)? Since people on this list verified the fingerprint, I have enough confidence to verify the GnuPG program with the key. BUT I do not have enough confidence to mark the key (the one I got from the keyserver) as Trusted or to Sign the key because I have not met with Werner Koch in person and seen credentials. 

Summation of Proper Key Signing Behavior: 

1.) I should NOT sign a key as trusted unless I have actually met with the person and seen his/her credentials. I can sign if I KNOW the person and verify the fingerprint with that person. But even these situations run the risk of dealing with a "secret agent."

Applying this rule, since I have not met Werner Koch, I should not sign his key. Verifying the fingerprint on a downloaded key is enough to use the key to verify software, but it's not enough to actually trust and sign the key. Hence using it to verify runs some risk because the key is not totally trustworthy.

Every time I use Werner Koch's key to verify a GnuPG program, I will get the warning that I am verifying with an untrusted key. You guys all get this warning because all of you are also not signing keys (even if you've verified the fingerprint with others) because you have not met with all the people needed in order to sign all the keys you have. Right? You guys all get this warning whenever you "gpg --verify", right?

In short, I should always be seeing the notice that I have verified using an untrusted key when using Werner Koch's key unless/until I actually meet him and see credentials. The only time you guys don't see this notice when verifying a key is when you use a key that you have actually met the signer of face to face, right?

Do I understand correctly. Is this all accurate? With this behavior, would I be doing Best Practices and what you guys all do?

Thanks for the instruction, guys. I appreciate the time and energy you guys spent writing the emails to me. means a lot to me.

> Date: Sat, 9 Jun 2012 06:09:54 +0100
> From: david at gbenet.com
> To: smickson at hotmail.com
> CC: gnupg-users at gnupg.org
> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/06/12 22:41, Sam Smith wrote:
> > 
> > Another thing is that downloading the key from that link you provided is no guarantee of safety in and of itself either because the page is not being hosted over SSL with confirmed identity information. So technically there's no guarantee I'm actually interacting with teh GnuPG.org website.
> > 
> > 
> > 
> >> Date: Thu, 7 Jun 2012 05:23:43 +0100
> >> From: david at gbenet.com
> >> To: gnupg-users at gnupg.org
> >> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> >>
> > On 07/06/12 00:15, Sam Smith wrote:
> >>>> yes, impersonation of the UID [Werner Koch (dist sig)] is what I'm trying to guard against.
> >>>>
> >>>> My efforts to verify the fingerprint are the best way to do this, correct?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> Date: Wed, 6 Jun 2012 21:54:01 +0200
> >>>>> From: peter at digitalbrains.com
> >>>>> To: gnupg-users at gnupg.org
> >>>>> Subject: Re: can someone verify the gnupg Fingerprint for pubkey?
> >>>>>
> >>>>> On 06/06/12 17:58, Mika Suomalainen wrote:
> >>>>>>> D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
> >>>>>> Looks correct.
> >>>>>>
> >>>>>> ``` % gpg --recv-keys D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg:
> >>>>>> requesting key 4F25E3B6 from hkp server pool.sks-keyservers.net gpg: key
> >>>>>> 4F25E3B6: public key "Werner Koch (dist sig)" imported
> >>>>>
> >>>>> I agree it appears he has the correct key. I did a local sig on it after what
> >>>>> checking I seemed to be able to do without meeting people in person.
> >>>>>
> >>>>> But it's a bit unclear to me on what basis you decided it looked correct? Your
> >>>>> mail suggests to me that you decided that based on the fact that the UID on
> >>>>> that key is "Werner Koch (dist sig)". But that would be the very first thing a
> >>>>> potential attacker would duplicate in his effort to fool our OP. Even if he's
> >>>>> using MITM tricks to subvert his system, he can still post his personally
> >>>>> generated key to the keyserver with this UID.
> >>>>>
> >>>>> Peter.
> >>>>>
> >>>>> PS: I briefly considered signing this message, because the attacker might MITM
> >>>>> my message to the OP. Then I realised what good that signature would do :).
> >>>>>
> >>>>> --
> >>>>> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> >>>>> You can send me encrypted mail if you want some privacy.
> >>>>> My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
> >>>>>
> >>>>> _______________________________________________
> >>>>> Gnupg-users mailing list
> >>>>> Gnupg-users at gnupg.org
> >>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Gnupg-users mailing list
> >>>> Gnupg-users at gnupg.org
> >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> > 
> > Sam,
> > 
> > You are a little confused - you ask ask "can some one verify the gnupg fingerprint for
> > pubkey" and you use Verners key to verify gnupg. Then you worry about impersonation - now
> > clearly Verner and gnupg have different keys. Or don't you know that?
> > 
> > Clearly you failed to follow my link and clearly you failed to check the public key for
> > gnupg. Now being a little confused try and get a clear question in your mind - is it
> > Verner's key that you have such a passion to verify or gnupg?
> > 
> > Verner's had about three keys two of which have expired - to the best of  my knowledge he's
> > a real person - he even maintains this list. You could always try encrypting  an e-mail to
> > his public key asking him if he's a real person. I'd suggest you not do the same for the
> > public key of gnupg.
> > 
> > People generate a private and a public key imaginary people don't do this - granted some one
> > can set up a false ID and create a set of keys - but though they have created a false ID to
> > do so they are nevertheless real people.
> > 
> > If you are so concerned about Verner's key why not take a trip to Germany and arrange to
> > meet him? You can't meet the gnupg (as its a bit of software) but you can verify it's
> > running on your computer.
> > 
> > All your keys are "untrusted." Everyone of them - apart from your own public key. They all
> > remain so until you actually meet that person and verify that they are who they say they
> > are. You carefully check their passport their driving licence.
> > 
> > But gnupg has not got a passport or a driving license. The only way you can check if gnupg
> > is real is to check if it's running on your computer gpg --version - this will tell you if
> > you have the software installed. If it's installed and working correctly it must be real.
> > 
> > What if that fails? Well you do the same thing gpg2 --version and hope that Verner does not
> > pop up and say "Hello."
> > 
> > David
> > 
> > 
> >>
> >> _______________________________________________
> >> Gnupg-users mailing list
> >> Gnupg-users at gnupg.org
> >> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >  		 	   		  
> Sam,
> 
> You have to apply some logic - and some common sense. I have about 180 public keys - all
> apart from about 5 or 6 are untrusted. Now a lot of people have my public key say 175 and
> all those people have my public key marked as untrusted.
> 
> The whole idea behind the web of trust is that you have met "real" people. On the whole most
> people are who they say they are - but with all systems you get people using fake IDs.
> 
> Now Werner Koch has a reality - he writes GPG4Win GNUpg and maintains this list - but
> because I've not met him (though I have exchanged e-mails with him) I have not signed his key.
> 
> Why?
> 
> The whole principle underlining the web of trust is that you  have met that person in the
> real world and to the best of your knowledge - they are who they say they are and their
> public key belongs to them.
> 
> It is a principle of the whole system that you only sign people's keys. The person comes
> first - not the key.
> 
> It's not the validity of keys but the validity of people. So in your every day life you
> accept that the train  driver the bus driver the person behind the bar - your wife and kids
> are all living real and normal lives. Now, your wife and kids aare somewhat different. You
> married your wife and thus can trust she presented to you a real ID. You had sexual
> intercourse with this real person (your wife) and she as a result of that intercourse
> produced your kids.
> 
> Your relationship to your wife and kids is special - you trust that they are really real and
> you believe it to be true. And why not? You wake up in the morning beside her - you watch
> your kids grow up. Now 20 years into your marriage you discover that your wife's a secret
> agent - Jane Brown - not the Mary Smith you thought you married - and that were you thought
> believed your kids sprung from your seed they were in fact from the milkman. The reality -
> the belief is she's still your wife and they are your kids - they have behaved as such.
> 
> 
> Most people are bound up with beliefs and behaviours. They interact with others on a daily
> basis sharing common values beliefs and behaviours. Under normal conditions we don't ask
> every one we meet for their passport driving license or DNA sequence. We accept it as the
> norm that people are real and valid - its the IDs they use which may or maybe questionable.
> 
> A spy may have say 6 IDs - the IDs are fictitious but the person is real. You have lots of
> family and friends - who they are - what they are changes overtime and  changes because of
> the  conditions under which you meet them - they could  be a Father a Professor - an Olympic
> Javelin thrower - then Retired - then dead. All these are IDs - which govern your
> behavioural interaction with that person. What do you trust? That you hear them speak? You
> have shaken them by the hand? Gone down the pub with them?
> 
> In truth we can not say that all these IDs are "real" neither can we say they are "false."
> But we interact with them and so build a reality of behaviours - sharing common interests
> and values and beliefs. Just like all these people on this mailing list. People are real.
> Though they may have many identities.
> 
> It is common practice to accept people at "face value" - even if you only "know" them from
> being on a mailing list. It is by common interaction "communication" that one reinforces
> one's own belief systems and we accept the commonly held belief that we are interacting with
> a real person - we through our own perception then make judgements about that person - we
> like them or we don't - we admire and respect them or we don't we trust what they have to
> say or we don't.
> 
> We make value judgements about real people - no matter what ID they present to us. It's the
> "face value" which is the key. Have we met the person? We affirm the reality of people via
> our social networking. Mary knows Bob - Bob knows Harry and Harry knows Mary. You can ask
> Bob and Harry to confirm that it is really is Mary that you are talking too. We all can
> confirm to some degree the reality of Werner Koch - by what he does. But I have not met him
> in any social network other than this and other mailing lists.
> 
> So people on this mailing list "know" that Werner Koch is "real." You can send him an
> encrypted e-mail and if he has your public key reply to you. The "reality" is we make people
> "personal" to ourselves by interacting with them. If we don't interact we don't build any
> models in our minds. If say 5 people said  that they had actually met Werner in the flesh -
> at face value - you would accept that Werner Koch was who he said he was.
> 
> We assign material documents to give validity to real people. People come first not the
> documentation. A public key is such a document. A person may generate many public keys - the
> person is the real validity. You do not affirm a level of trust in the public key. You
> affirm a level of trust in the person. So all your public keys are untrustworthy except for
> those people that you have met. So even though I and many others have exchanged e-mails with
> Werner Koch his public key remains untrusted.
> 
> Likewise you can not meet face to face with a bit of software though you may affirm its on
> your computer and you may affirm by interacting with it - the fact remains the public key
> remains untrustworthy.
> 
> I have lots of keys - 98 per cent are "untrustworthy." It's normal. It is not the same as
> having the perception of an untrustworthy person - which is based on our perception oof the
> value system we place on their behaviours. A public key is a static document - whereas
> people - those that are alive have values belief systems and behaviours that interact with
> other human beings out of common interests and goals. Some people have a mind set that says
> "that person is real therefore their documents are real." Then they form value judgements on
> that documentation - to trust or not to trust - as though they were interacting with real
> people.
> 
> In reality we can not judge the value of documents. In reality we can judge the value of
> people. We make value judgements about people all the time - based on their interaction with
> us - our mood - how we feel at any given time. We interpretate according to our reality and
> perceptions.
> 
> What is our "reality" about public key encryption? The validation of public keys? The
> validation of real people? We almost forget why we want public key encryption - so that only
> the recipient can read our e-mails. The "recipient" is a person - their public key is merely
> a tool to which software on your computer can encrypt to their public key. That's the only
> reality a public key has. It is not a seal of authenticity - not a rubber stamp. It has no
> power vested in it as to give "authority." It is merely a means for secure communications
> over an insecure network.
> 
> The web of trust - signing people's keys is based on people meeting face to face and
> interacting in a social network - it is not about the level of trust one has in the public
> key. A keys "validity" is it works. The validity is the recipient of an encrypted message
> can decrypt it. All keys are valid in this respect. They are in a sense all trustworthy. All
> keys do what they say they can do. Without any failure. So you need not set any level of
> trust on keys because they work perfectly.
> 
> The "trust" is in the person - not the public key. So some would argue that signing Werner's
> key is crazy - has no logic and a miss-placed value system. I'd have to agree.
> 
> David
> 
> 
> - -- 
> “See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
> kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
> delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com/blog
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJP0tqUAAoJEOJpqm7flRExg8UH/0XNKxkUwqYWiKVe4tQezfJt
> VcZ5FCz3aFCSqCys/plxsVXcnE6VHH5PnJO/cHb0x+5MNJqbTP1N6r97P+AQhFUN
> XknxLE9qfX1KgiDTTZ8euwbMong4zwXxY+Wg0twxQAdnHj73uU32j5SFQ2+VKx6Y
> PrvK/JSR3aeyN6v/OanBAHjPFIGc3rcSOqFoTAhfkGME/XlNPfzNknk0EO5bERYL
> maOnopf25iYalqZTfRMBDffb79riIDega+A5hSp12hMmi7XnEFeSN2iAIHmVM8Ht
> v9NzoRIUW75quJPUotOwUI7O0rVyoggYxhorWhbhQPNPWgkUnMNcon9GK1eZGDM=
> =flOL
> -----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120610/b14e5110/attachment-0001.htm>