Re: gpg says no user ID
Hi,
the program gpg writes about the Debian CD signing key DA87E80D6294BE9B :
> > > WARNING: This key is not certified with a trusted signature!
> > > There is no indication that the signature belongs to the owner
I wrote:
> > This is a security usability problem. How is a non-expert to know that
> > this warning can be ignored, while others must be tended to?
Jeffrey Walton wrote:
> This is a security usability problem. How is a non-expert to know that
> this warning can be ignored, while others must be tended to?
Yep. Didactically is is quite unfortunate.
It would be interesting to learn how to connect the key to a web of trust
which would suppress this warning everywhere.
But reading
https://www.gnupg.org/gph/en/manual/x334.html
"Validating other keys on your public keyring"
https://gnupg.org/download/integrity_check.html
(GnuPG's own download integrity check presciptions)
i get the impression that there is no global web of trust to attach to.
> The answer is, the non-expert does not know.
Nearly nobody can judge how safe a gpg signature is. The algorithms are
complicated and the interface towards human users invites for mistakes
and misunderstandings.
> > https://www.debian.org/CD/verify
> The page does not provide a prescriptive recipe on how to do what it
> says to do.
In general one cannot give such a receipe without knowing the system
on which the verification shall happen.
But i agree that a tangible example for an existing Debian old-stable
system could help even those who use something else.
> > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
> > echo "DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B" | sed -e 's/ //g'
> Something needs to be fixed here.
I meanwhile get the impression that this is not needed in real life, because
my local gpg states the fingerprint with the same blanks as on the Debian web
page:
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
So i assume that Thomas George's reported line
...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
fell victim to editing or mail client.
(But we see how difficult it is to give a general description of the
procedure.)
> One last thought... https://www.debian.org/CD/verify should probably
> be moved to the wiki.
That would probably not be a good idea.
The page offers the official keys for download and states their official key
fingerprints. Such a page should be editable only by the most authorized
people.
But www.debian.org/CD/verify could point to a public wiki where users
show their favorite ways to do the verification.
Such a wiki would of course need to be constantly observed by users who
dispute and remove any attempt of deception.
Have a nice day :)
Thomas
Reply to: