6

I've added the public key of Diceware creator (please use it as a practical example), I've added it by downloading diceware.wordlist.asc, and I didn't have his key and couldn't immediately find it to import it to GnuPG.

So I improvised and did gpg --verify ~/Desktop/diceware.wordlist.asc.

This showed that the file was signed by key ID: AC3184A1 (short key ID, I know... But that's what gpg showed me!)

I took that and did gpg --recv AC3184A1. Which I now have.

How can I make sure this key is owned by Arnold G. Reinhold?

Sure, it shows the name in the key ID owner in gpg, and it lists the same fingerprint found here. But neither of those is a trusted way to verify. The fingerprint is on an untrusted page, and for all I know, it's been changed in transit before reaching my PC. And the name is just arbitrary data that I can replicate myself using any gpg client.

I remember once I imported a key of someone, and they told me to view the "Web of Trust" signatures. I've been trying to find that command but I just couldn't pinpoint it with certainty. I found this command, which I think it's the WOT command: gpg --list-sig AC3184A1 which if issued will produce this:

pub   1024R/AC3184A1 1995-02-23
uid                  Arnold G. Reinhold <reinhold@world.std.com>
sig          AC3184A1 1995-02-23  Arnold G. Reinhold <reinhold@world.std.com>
sig          5F63A5B9 1995-03-27  [User ID not found]
sig          0959ECA9 1995-12-02  [User ID not found]
sig          0FF98BC9 1997-04-20  [User ID not found]
sig          E3EF9085 2001-11-28  [User ID not found]
sig          AC48A400 2001-10-22  [User ID not found]
sig          066030C3 2001-11-28  [User ID not found]
sig          D782FE45 2002-03-31  [User ID not found]
sig          BBD264A6 2004-01-02  [User ID not found]
sig 1        87D1CE0F 2004-03-04  [User ID not found]

But all of those are [User ID not found].

So again, how can I make sure the key is for whom it says it's for?

PS. Please don't go into 1024bit key weaknesses. I know this.

UPDATE:

Assuming I have done everything here correctly, and that I found gpg --list-sig AC3184A1 which if issued will produce this:

pub   1024R/AC3184A1 1995-02-23
uid                  Arnold G. Reinhold <reinhold@world.std.com>
sig          AC3184A1 1995-02-23  Arnold G. Reinhold <reinhold@world.std.com>
sig          5F63A5B9 1995-03-27  [PEOPLE I TRUST@TRUSTED.ORG]
sig          0959ECA9 1995-12-02  [PEOPLE I TRUST@TRUSTED.ORG]
sig          0FF98BC9 1997-04-20  [PEOPLE I TRUST@TRUSTED.ORG]
sig          E3EF9085 2001-11-28  [PEOPLE I TRUST@TRUSTED.ORG]
sig          AC48A400 2001-10-22  [PEOPLE I TRUST@TRUSTED.ORG]
sig          066030C3 2001-11-28  [User ID not found]
sig          D782FE45 2002-03-31  [User ID not found]
sig          BBD264A6 2004-01-02  [User ID not found]
sig 1        87D1CE0F 2004-03-04  [User ID not found]

How can I make sure that [PEOPLE I TRUST@TRUSTED.ORG] aren't all also forged identities? I can now make [PEOPLE I TRUST@TRUSTED.ORG] key ID and published it, can't I?

PS: This is the Diceware list I'm using in this question

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Mars
  • 1,843
  • 3
  • 16
  • 22

1 Answers1

10

Important note before I start: in OpenPGP, there is nobody telling you whom to trust. You have to perform this verification on your own, but there are tools (like certifications in the web of trust) that help you doing so. For the same reasons, I cannot provide you with a step-by-step tutorial on verifying a given OpenPGP key, but can only give some advice on how you could possibly verify it on your own.

You have two possibilities to verify the key's ownership: directly or through the web of trust.

Directly Verifying OpenPGP Keys

This is rather obvious. Find the owner, and ask him through a trusted channel. Meeting him probably involves least hassle -- apart from fixing an appointment and travelling.

If this is too much hassle or expensive (which it probably will be), you can go for other ways of verifying the fingerprint (choose depending on your paranoidity, not all of those will be appropriate for your use case).

  • Verify against the web site. If it is not properly encrypted or you don't trust the certificate, consider also verifying against web caches like archive.org, which also hosts a time line of websites' changes. Consider using multiple connections, possible from different countries (ask somebody, use VPN, proxies, ...).
  • Verify against completely unconnected channels. For example, maybe the fingerprint was once printed somewhere in a product box, or is included in a trusted place: for example, is there a Debian package also listing the fingerprint in the documentation somewhere?
  • Search in closely connected news groups and mailing lists for signed posts. When there's a history of signed posts and nobody crying "hey, that's not me!", this also indicates the key might belong to whom it claims.
  • Generally try to find as much indications as you can find the key is the right one, especially over time. Also try to find whether there are other keys that seem to belong to the owner, but are not used widely (news group posts, mailing lists, as above).

The last points only can be an indication that everything's fine, and how much of those you accept depends on your needs.

Verifying Through the Web of Trust

An alternative is verification through the web of trust. A helpful tool for building a trust chain would be the PGP pathfinder, I linked an example with a trust path from my key to Anold Reinhold's key (which is of limited use, by the way).

For verifying throughout the web of trust, you have to build a trust path, this means there must be a way to validate each step in-between. If there is a valid key with an outgoing certification, the certified key will also be valid; also depending on the maximum path length, certification level and trust settings. I put together some more details in "What is the exact meaning of this gpg output regarding trust?".

If you cannot build a trust path, because you don't know anybody of those, you could go for trusted organizations. Either fetch all of keys that issued certifications, or query a key server which already knows all of them. Do you recognize any well-known and trusted organization? You might accept to trust their employees/members, and be able to verify their fingerprints through the organization's website. Which ones you consider well-trusted fully depends own your personal opinion. John R. Levine issued multiple certification from different keys and is rather well-known for his publications and work, thus might be a good starting point if you are able to verify his key through some of the described measures listed above.

A good way of bootstrapping those trust paths is regularly visiting key signing parties at different occasions.

Verifying Through a Certificate Authority

This is actually very close to the web of trust network and indeed uses the same tools. Certificate authorities (as also known from X.509) issue certificates based on a set of rules. If you trust the CA, you can trust all of their certifications. Examples of such CAs in the OpenPGP environment would be

  • CAcert (they also sign OpenPGP keys)
  • Heise Verlag (German site, a company running a few German computer science magazines, and also do some CA services)
  • PGP Global Directory (only validated mail addresses, not identities)
Jens Erat
  • 23,816
  • 12
  • 75
  • 96