Proposal of OpenPGP Email Validation

nico at enigmail.net nico at enigmail.net
Thu Jul 30 14:43:35 CEST 2015 

Indeed,

as written in the proposal
key 8B5A ABB1 A033 21CE C2FF C35F 3BA0 E844 EDEB DFE9
> https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0x3BA0E844EDEBDFE9
is a faked key which is signed by a faked CA.
THAT's exactly the problem I want to fix!

And note that for ordinary users it is not that easy to find out
Yes, people could in this case double check with the web site of
the magazine. But they simply don't do that (including me and
a couple of other people here in this forum!).
As a result Jürgen aganin and again gets emails with the wrong key.
And I dind't get an answer from Jürgen ...
And ...
I want to avoid this unnessecary burdon.

BTW, as another example,
several keys of team at gpgtools.org are faked
(search for these keys and the the interesting result).


Am 30.07.2015 um 12:23 schrieb MFPA:
> Hi
> 
> 
> On Thursday 30 July 2015 at 9:27:37 AM, in
> <mid:55B9DFF9.6080507 at gmail.com>, Viktor Dick wrote:
> 
> 
>> On 2015-07-30 10:17, Ingo Klöcker wrote:
>>> I'm sorry to tell you that you have fallen into the trap. There is only one
>>> genuine pgpCA at ct.heise.de key the fingerprint of which is printed in each
>>> issue of the c't magazine. The other one is a fake. And the fact that the fake
>>> key with the author's email address is signed by different keys only means
>>> that a lot of people have signed this fake key without following the proper
>>> procedure of key validation (or that the trolls created even more fake keys to
>>> sign the author's fake key to make it look more credible).
> 
>> Not according to
>> http://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html
>> where three different keys are listed (two DSS and one
>> RSA).
> 
> 
> I concur that the keys 38EA4970 and E1374764 both look likely to be
> genuine. One has signatures from B3B2A12C, the other from DAFFB000.
> The link above lists as "ct magazine CERTIFICATE <pgpCA at ct.heise.de>"
> keys B3B2A12C and DAFFB000, as well as a third key BB1D9F6D.
> 
> 
> As for the other non-revoked keys I found by searching for "schmidt
> juergen heise de":-
> 
>         all four are signed by a "ct magazine CERTIFICATE
>         <pgpCA at ct.heise.de>" key F6ADD6C2 that is not listed on the
>         magazine's page.
> 
>         all four are also signed by a "ct magazine CERTIFICATE <ct
>         magazine CERTIFICATE>" key FB4DFDC6.
> 
>         one of the four has a UID claiming itself to be another "ct
>         magazine CERTIFICATE <pgpCA at ct.heise.de>" as well as being
>         Juergen Schmidt's key.
> 
> Also all four have the same creation date.
> 
> I guess anybody being fooled didn't look at the page linked above, or
> they would have used key 2C26A309 "ct magazine pgpCA CommunicationKey
> 2015 <pgpCA at ct.heise.de>" when contacting the magazine. (-;
> 
> 
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:nico at enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5

More information about the Gnupg-users mailing list