Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere

From:	Daniel Kahn Gillmor
Subject:	Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere
Date:	Fri, 10 Aug 2012 13:54:35 -0400
User-agent:	Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5

On 08/10/2012 01:34 PM, Gabor Kiss wrote:
> [kristian fiskerstrand wrote:]
>> As an FYI; I've now added HTTPS/TLS support to
>> https://sks-keyservers.net . It is part of the monkeysphere[0], i.e.
>> using a self-signed certificate that can be verified through the Web of
>> Trust of OpenPGP.
>>
>> The KeyID of the certificate should is 0xd71fd9994af34f0b and can be
>> found in the pool[1]. The fingerprint of the key is
>> 878F FB44 5E6E 13A6 4716 3BDC D71F D999 4AF3 4F0B

this fingerprint is the OpenPGP fingerprint of the public key associated
with https://sks-keyservers.net.  As with any OpenPGPv4 fingerprint, it
is a digest made over some boilerplate, the key creation time, and the
public key material.

> My browsers say that SHA-1 fingerprint of
> certificate of sks-keyservers.net is
>   F7 2A 69 75 64 44 08 D3 38 D3 5D AE DE AD 7C 44 53 0D FA 40
> MD5 is
>   26 BB A1 88 FF E7 C9 A0 AC 97 4F F8 04 F4 FF 03
> SHA-256 is
>   06 64 76 1C 8C D3 9C D6 AE 83 FE 82 13 DF 89 37
>   D4 40 3B 39 0F 58 57 41 D6 F6 89 B1 B9 E5 7C 8B

these digests are the digests of the X.509 certificate, which covers the
site's public key material plus some other DER-encoded metadata.

So you can't directly compare these fingerprints. :(

However, you *can* compare the public key material between the
certificates (though that's tedious to do by hand) -- you'll see that
the OpenPGP certificate signed by Kristian contains the same public key
material as the X.509 certificate offered directly by the web site.

> None of them looks like you mentioned.
> Probably I misunderstood something. :-)
> What should I check if I want to verify this connection.

if you have a copy of the X.509 certificate locally in
sks-keyservers.pem, and gpg believes kristian's keys are valid, and you
are running the monkeysphere validation agent, you could do:

 msva-query-agent https sks-keyservers.net x509pem < sks-keyservers.pem

> (AFAIK Opera has no monkeysphere plugin.)

if you'd like to implement one, we'd be happy to point you in the right
direction :)

  http://web.monkeysphere.info/community/

        --dkg

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] sks-keyservers.net: Now in the monkeysphere, Kristian Fiskerstrand, 2012/08/10
- Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere, Gabor Kiss, 2012/08/10
  - Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere, Kristian Fiskerstrand, 2012/08/10
  - Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere, Daniel Kahn Gillmor <=
    - Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere, Kiss Gabor (Bitman), 2012/08/10

Prev by Date: Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere
Next by Date: Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere
Previous by thread: Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere
Next by thread: Re: [Sks-devel] sks-keyservers.net: Now in the monkeysphere
Index(es):
- Date
- Thread