Security of verifying gpg keys from internet key servers

Derek Martin invalid at pizzashack.org
Sun Oct 28 23:31:34 UTC 2018


On Sun, Oct 28, 2018 at 11:39:37PM +1100, Ben McGinnes wrote:
> >> Well, verifying the identity of an unknown person with some server
> >> over the Inrernet is not very reliable, isn't it?
> > 
> > In what way? I think gnupg.net is a pretty secure source to look up
> > keys. There's no other way unless someone attaches/sends you there
> > key to import that I know about.
> 
> It shouldn't matter which server an OpenPGP key was obtained from, the
> security and/or validity of the key is maintained by the protocol's
> implementation.

IIRC this is *mostly* true--except that some versions (and some key
servers) support subkeys, while others do not, and this mismatch could
break verification.

But aside from that, and aside from signature-related bugs like what
we were just discussing in that other thread, verifying a message with
GPG proves, mathematically, that the message was sent by the person
whose key matches the key fingerprint indicated on the message.
Nothing more, nothing less.  It's up to you to confirm, either in
person or by "web of trust", that the key really belongs to the person
you think it does.

If you're not familiar with what the web of trust is, essentially it's
a mechanism that lets the user say, "I don't know who this person is
and I don't trust them, but I see that their key has been signed by my
good friends Jenny, Dave, and Robin, so I can assume the person really
is who they say they are."

This presumes that you know Jenny, Dave, and Robin, and know how
dilligent they are about verifying keys, and trust that they actually
did verify the identity of the unknown person.  If you don't, you can
choose not to trust the key as well.

In-person verification generally takes the form of an exchange, in
person, of the two people's public keys (which often may have been
made available previously, electronically), the key fingerprint of
those keys, and if necessary (i.e. you don't know the person by sight)
inspecting some sort of official identification.  Then, assuming all
of those things match, particularly the fingerprint they gave you
matches the fingerprint PGP/GPG tells you the key has, you sign the
key via the command-line interface (or whatever), indicating your
level of trust of that key.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-users/attachments/20181028/a6d3e6fa/attachment.asc>


More information about the Mutt-users mailing list