Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Thu Jul 30 10:17:44 CEST 2015


On Thursday 30 July 2015 08:04:28 Viktor Dick wrote:
> Now that I think about it - if I search for the original author of the
> c't article (ju at ct.de), who complained about getting mails that were
> encrypted to some fake key, I would assume that the keys 38EA4970 and
> E1374764 are both genuine, because they both have not only selfsigs.
> BTW, they are both signed by different keys with the UID
> 'pgpCA at ct.heise.de', so they already have a similar service in place -
> of course I had to do a websearch to find if these keys are genuine,
> which should probably be easier. I guess ideally the UID would contain a
> weblink to a page that has the fingerprint and describes the service
> shortly.

I'm sorry to tell you that you have fallen into the trap. There is only one 
genuine pgpCA at ct.heise.de key the fingerprint of which is printed in each 
issue of the c't magazine. The other one is a fake. And the fact that the fake 
key with the author's email address is signed by different keys only means 
that a lot of people have signed this fake key without following the proper 
procedure of key validation (or that the trolls created even more fake keys to 
sign the author's fake key to make it look more credible).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150730/3a137819/attachment.sig>


More information about the Gnupg-users mailing list