Proposal of OpenPGP Email Validation

MFPA 2014-667rhzu3dc-lists-groups at
Fri Jul 31 01:11:35 CEST 2015

Hash: SHA512

On Thursday 30 July 2015 at 4:12:35 PM, in
<mid:55BA3EE3.7000608 at>, Viktor Dick wrote:

> On 2015-07-30 16:39, MFPA wrote:
>> On Thursday 30 July 2015 at 1:43:35 PM, in
>> <mid:55BA1BF7.4090408 at>, nico at wrote
>>> BTW, as another example, several keys of
>>> team at are faked (search for these keys and
>>> the the interesting result).

>> Sorry, I don't see a result that leaps out at me as
>> interesting. Are you willing to elaborate?

> I'd say if one searches on a keyserver, it is pretty
> clear which key is real.

Only if you download the key from the GPGTools website and find the
key-id first. (If the GPGTools team shows their key ID or Fingerprint
on their website, I failed to find it.)

My output from searching a keyserver for "":-

- -----------------------------------------------------------------------

C:\TDM-GCC-32>gpg --search-keys team at
gpg: using character set 'utf-8'
gpg: data source:
(1)     GPGTools Team <team at>
          2048 bit RSA key 0xDE13CCD892EFC169, created: 2013-09-13, exp
          ires: 2017-09-13
(2)     GPGTools Team <team at>
          2048 bit RSA key 0x93F6E721F7D75F75, created: 2013-09-13, exp
          ires: 2017-09-13
(3)     GPGTools Team <team at>
          2048 bit RSA key 0x07F7603CC8F5BBF1, created: 2013-09-13, exp
          ires: 2017-09-13
(4)     *Key invalid; use 76D78F0500D026C4
        GPG Tools Team <team at>
          2048 bit RSA key 0x929D128A9EA002BA, created: 2013-09-13, exp
          ires: 2017-09-13
(5)     George Nigg <team at>
          2048 bit RSA key 0xD0863D5E46FA0F9F, created: 2013-07-12, exp
          ires: 2017-07-12
(6)     GPGTools Team <team at>
        GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel at list
        GPGTools Project Team (Official OpenPGP Key) <gpgtools-org at list
          2048 bit DSA key 0x76D78F0500D026C4, created: 2010-08-19, exp
          ires: 2018-08-19
Keys 1-6 of 6 for "team at".  Enter number(s), N)ext, or Q)uit >

- -----------------------------------------------------------------------

Number 6 has more UIDs but nothing in the search listing tells me any
key is clearly the one I want.

When verifying a software download, the search would be the other way
around. I would be checking a signature, so GnuPG would search the
server for the key-id that made the signature, the signature would be
good or bad, and the key would be the one their website says it should
be or it wouldn't. (OK, there would quite probably be certifications
vouching for the key as well, in case the site was hacked and now said
a different key.)

> I'm a bit worried because when
> I search with Enigmail it does not show the signatures,
> so from there they all seem equally valid.

I do not use Enigmail, so couldn't comment.

However, what would be different if one of the keys found happened to
carry one of your proposed?

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at>

What's another word for synonym?


More information about the Gnupg-users mailing list