MIME or inline signature ?

Stephan Beck stebe at mailbox.org
Sun Feb 15 16:12:01 CET 2015


Am 15.02.2015 um 13:14 schrieb MFPA:
> On Saturday 14 February 2015 at 10:05:24 PM, in
> <mid:54DFC6A4.8070302 at mailbox.org>, Stephan Beck wrote:
>> Well, it's rather a precautionary measure than an
>> actual security measure, , reminding me of not trusting
>> the key owner's ability to handle and verify signatures
>> correctly, if he/she uses a signature no one has the
>> chance to check because the information about the
>> public key's location isn't indicated by its owner in
>> his/her very message.
> When I check the signature of the first message in this thread
> (Message-ID: <m0vbj6n3xy.fsf at kcals.intra.maillard.im>), GnuPG fetches
> Xavier's key from a keyserver. I don't see why information about a
> public key's location would need to be indicated for a key that is on
> the keyservers. 

Didn't you say before you got the same error message as I did?
No, it does not fetch the correct key, not with that very message. What is is
that indicates (you) that the server might be down?
Enigmail, which I use in combination with gpg, tries to verify the signature by
fetching the key DE2FFC869AFA5165 (the key the message was signed with according
to Enigmail) from keyservers, and that action fails resulting in a "bad
signature..." output. It most likely seems to fail, because the key the message
was signed is not on the keyservers.
The header of the message <m0vbj6n3xy.fsf at kcals.intra.maillard.im> in question
is (sorry for having to be that explicit)

X-GPG-Key-ID: 0xBA4909B78F04DE1B
X-GPG-Key: http://wwwkeys.pgp.net/pks/lookup?search=0xBA4909B78F04DE1B&op=index
X-GPG-Fingerprint: 9983 DCA1 1FAC 8DA7 653A  F9AA BA49 09B7 8F04 DE1B

Obviously, it indicates a key ID 0xBA4909B78F04DE1B and links to a key that is
not the key the message was signed with (which is DE2FFC869AFA5165, according to
Enigmail/gpg), even if the fingerprint is given as well.
A previous message of him was signed with the key ID 0xBA4909B78F04DE1B, hence,
Enigmail imported this key correctly.

That said, Xavier's message kludges contain the key-id
> and fingerprint, as well as a link to the lookup of that key on a
> keyserver (wwwkeys.pgp.net, which seems to be down at the moment).

On my keyring, my own keys have a 5 "I
> trust ultimately" and all other keys have the default. (I presume not
> setting trust on a key is the same as setting 1 "I don't know or won't
> say".)

In fact, it isn't quite the same. The default, before ever having verified the
key owner's identity, is "I don't know or won't say". The option 2 "I do not
trust" refers to the poor or zero trust you have in the key owner's abilty to
sign and verify other signatures correctly, as a result of a behaviour/attitude
of the key owner which is contrary to the principles of the Web of Trust, for
It is not possible to verify the key DE2FFC869AFA5165 with the information given.

Best regards

Stephan Beck

Below I paste the German output of Enigmail as a proof of what I'm saying.
I have already translated it in my previous message.


Fehler - Überprüfung der Unterschrift fehlgeschlagen
Öffentlicher Schlüssel DE2FFC869AFA5165 zur Überprüfung der Unterschrift benötigt

FALSCHE Unterschrift von Xavier Maillard <xavier at maillard.im>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150215/f278591e/attachment.sig>

More information about the Gnupg-users mailing list