Discussion:
Security of verifying gpg keys from internet key servers
David Woodfall
2018-08-13 20:54:54 UTC
Permalink
On Monday 13 August 2018 20:22,
On Monday 13 August 2018 13:46,
El día Monday, August 13, 2018 a las 12:34:08PM +0100, David Woodfall
...
Do you have your key on a keyserver somewhere? I got a huge 30 sec
delay opening this because I only have keys.gnupg.net set as
keyserver. Not sure if there more popular ones these days?
Dave, do you verify gnuPG keys/signs on the fly? Is this secure?
Thx
Mutt does it automatically. I don't know why it wouldn't be secure.
Well, verifying the identity of an unknown person with some server over the
Inrernet is not very reliable, isn't it?
In what way? I think gnupg.net is a pretty secure source to look up
keys. There's no other way unless someone attaches/sends you there
key to import that I know about.

--

The game, anoraks.2.0.0.tgz, will be available from sunsite until somebody
responsible notices it and deletes it, and shortly from
ftp.mee.tcd.ie/pub/Brian, though they don't know that yet.
-- Brian O'Donnell, ***@tcd.ie

.--. oo
(____)//
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
Ben McGinnes
2018-10-28 12:39:37 UTC
Permalink
This post might be inappropriate. Click to display it.
Derek Martin
2018-10-28 23:31:34 UTC
Permalink
Post by Ben McGinnes
Post by David Woodfall
Well, verifying the identity of an unknown person with some server
over the Inrernet is not very reliable, isn't it?
In what way? I think gnupg.net is a pretty secure source to look up
keys. There's no other way unless someone attaches/sends you there
key to import that I know about.
It shouldn't matter which server an OpenPGP key was obtained from, the
security and/or validity of the key is maintained by the protocol's
implementation.
IIRC this is *mostly* true--except that some versions (and some key
servers) support subkeys, while others do not, and this mismatch could
break verification.

But aside from that, and aside from signature-related bugs like what
we were just discussing in that other thread, verifying a message with
GPG proves, mathematically, that the message was sent by the person
whose key matches the key fingerprint indicated on the message.
Nothing more, nothing less. It's up to you to confirm, either in
person or by "web of trust", that the key really belongs to the person
you think it does.

If you're not familiar with what the web of trust is, essentially it's
a mechanism that lets the user say, "I don't know who this person is
and I don't trust them, but I see that their key has been signed by my
good friends Jenny, Dave, and Robin, so I can assume the person really
is who they say they are."

This presumes that you know Jenny, Dave, and Robin, and know how
dilligent they are about verifying keys, and trust that they actually
did verify the identity of the unknown person. If you don't, you can
choose not to trust the key as well.

In-person verification generally takes the form of an exchange, in
person, of the two people's public keys (which often may have been
made available previously, electronically), the key fingerprint of
those keys, and if necessary (i.e. you don't know the person by sight)
inspecting some sort of official identification. Then, assuming all
of those things match, particularly the fingerprint they gave you
matches the fingerprint PGP/GPG tells you the key has, you sign the
key via the command-line interface (or whatever), indicating your
level of trust of that key.
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
Loading...