Proposal of OpenPGP Email Validation

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Fri Jul 31 01:11:35 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 30 July 2015 at 4:12:35 PM, in
<mid:55BA3EE3.7000608 at gmail.com>, Viktor Dick wrote:


> On 2015-07-30 16:39, MFPA wrote:
>> On Thursday 30 July 2015 at 1:43:35 PM, in
>> <mid:55BA1BF7.4090408 at enigmail.net>, nico at enigmail.net wrote
>>> BTW, as another example, several keys of
>>> team at gpgtools.org are faked (search for these keys and
>>> the the interesting result).

>> Sorry, I don't see a result that leaps out at me as
>> interesting. Are you willing to elaborate?

> I'd say if one searches on a keyserver, it is pretty
> clear which key is real.

Only if you download the key from the GPGTools website and find the
key-id first. (If the GPGTools team shows their key ID or Fingerprint
on their website, I failed to find it.)


My output from searching a keyserver for "gpgtools.org":-

- -----------------------------------------------------------------------

C:\TDM-GCC-32>gpg --search-keys team at gpgtools.org
gpg: using character set 'utf-8'
gpg: data source: http://kronecker.scientia.net:11371
(1)     GPGTools Team <team at gpgtools.org>
          2048 bit RSA key 0xDE13CCD892EFC169, created: 2013-09-13, exp
          ires: 2017-09-13
(2)     GPGTools Team <team at gpgtools.org>
          2048 bit RSA key 0x93F6E721F7D75F75, created: 2013-09-13, exp
          ires: 2017-09-13
(3)     GPGTools Team <team at gpgtools.org>
          2048 bit RSA key 0x07F7603CC8F5BBF1, created: 2013-09-13, exp
          ires: 2017-09-13
(4)     *Key invalid; use 76D78F0500D026C4
        GPG Tools Team <team at gpgtools.org>
          2048 bit RSA key 0x929D128A9EA002BA, created: 2013-09-13, exp
          ires: 2017-09-13
(5)     George Nigg <team at gpgtools.org>
          2048 bit RSA key 0xD0863D5E46FA0F9F, created: 2013-07-12, exp
          ires: 2017-07-12
(6)     GPGTools Team <team at gpgtools.org>
        GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel at list
        s.gpgma
        GPGTools Project Team (Official OpenPGP Key) <gpgtools-org at list
        s.gpgto
          2048 bit DSA key 0x76D78F0500D026C4, created: 2010-08-19, exp
          ires: 2018-08-19
Keys 1-6 of 6 for "team at gpgtools.org".  Enter number(s), N)ext, or Q)uit >


- -----------------------------------------------------------------------


Number 6 has more UIDs but nothing in the search listing tells me any
key is clearly the one I want.

When verifying a software download, the search would be the other way
around. I would be checking a signature, so GnuPG would search the
server for the key-id that made the signature, the signature would be
good or bad, and the key would be the one their website says it should
be or it wouldn't. (OK, there would quite probably be certifications
vouching for the key as well, in case the site was hacked and now said
a different key.)



> I'm a bit worried because when
> I search with Enigmail it does not show the signatures,
> so from there they all seem equally valid.

I do not use Enigmail, so couldn't comment.

However, what would be different if one of the keys found happened to
carry one of your proposed?


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

What's another word for synonym?
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVuq8rXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwL1cH/3MxcfTEKp+Dlnj3pf//5dr4
sywvMnkv/7k7X0wEPApQVmlVH+6y0kFgOBK366oAKh32mq2muftcRIhOe/eH5pCJ
PQvpjhmuqu7TvmIT9YlnnEcuWPMhK8iT8q1WqAwNJdFxv2WhzN6V+g/QcilDE4cD
TQ6VyIvNp9Z6Nrrb9bl7DF8eh4jxiRtvyoT+JfL9l3qt3umqcuy/eTyt5YLOg03T
V3jSherLB4eSyRFwxbOvccd9o9yZK8rVezD6Oul+dOUQbgBeuPrLfRG2E1sjLE2S
fKj9NsZTmMOc3D2uSfwGNWb9vQtKnnvMosGX6PGvp9ESgvj5REXEJ4vCcwZUFxKI
vgQBFgoAZgUCVbqvPF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HRoAQCWIaBpOmDy7AruEsbWaJZUrt3I
tCsfiO9kXYa5lBh4CgEA+xSPOnYEEaWXIqlouKAbKEt1JqqJ+k5ut5j68DbkBAo=
=qAVG
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list