# GnuPG Key Servers

## wswartzendruber

Can someone please go to keys.gnupg.net and verify that I'm not insane?

----------

## cach0rr0

i dont see anything immediately out of sorts 

screencap or something?

----------

## cach0rr0

weird. it's just their one host in the netherlands that does that

(tested NL server later with -H 'keys.gnupg.net', same result)

```

meat@ricker ~ $ host keys.gnupg.net

keys.gnupg.net has address 195.113.19.83

keys.gnupg.net has address 209.234.253.170

keys.gnupg.net has address 131.155.141.70

keys.gnupg.net has address 188.40.65.201

meat@ricker ~ $ curl --head 195.113.19.83

curl: (7) couldn't connect to host

meat@ricker ~ $ curl --head 209.234.253.170

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Fri, 23 Sep 2011 00:13:54 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

meat@ricker ~ $ curl --head 131.155.141.70

HTTP/1.1 302 Temporarily moved

Location: http://mud.stack.nl/

Content-type: text/html

Accept-ranges: bytes

Content-length: 0

meat@ricker ~ $ curl --head 188.40.65.201

HTTP/1.1 200 OK

Date: Fri, 23 Sep 2011 00:16:28 GMT

Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g

Last-Modified: Mon, 10 Aug 2009 15:23:09 GMT

ETag: "187c027-2d-470cb29cfd140"

Accept-Ranges: bytes

Content-Length: 45

Vary: Accept-Encoding

Content-Type: text/html

meat@ricker ~ $ iplookup 195.113.19.83

195.113.19.83: CZ

meat@ricker ~ $ iplookup 209.234.253.170

209.234.253.170: US

meat@ricker ~ $ iplookup 131.155.141.70

131.155.141.70: NL

meat@ricker ~ $ iplookup 188.40.65.201

188.40.65.201: DE

```

so no, i guess you're not crazy

----------

## cach0rr0

goddamn ninja delete, i saw your second post  :Laughing: 

and yes, one of the hosts *does* look to redirect to mud.stack.nl for whatever reason

----------

## wswartzendruber

Okay I figured it out.  There are for IPv4 addresses for keys.gnupg.net:

1. 131.155.141.70

2. 188.40.65.201

3. 209.234.253.170

4. 195.113.19.83

The first one redirects to mud.stack.nl.

The second one simply says "It works!"

The third one actually functions.

The fourth one doesn't answer.

----------

## wswartzendruber

Okay so I went on IRC and talked to some folks on #gnupg.  You use the gpg CLI interface to upload keys.  And there's no verification.  How can someone know that if they download a key for wswartzendruber@gmail.com that it's really mine?

----------

## Hu

The key must be verified out of band.  For example, if you posted your key ID here, we could assume that the key ID shown belongs either to you or to someone with access to silently modify your posts here.  If it is posted in enough unrelated places and those places all agree, we could assume that the only person who has access to all those places is you and therefore that the key shown is the correct one.

----------

## cach0rr0

 *wswartzendruber wrote:*   

> Okay so I went on IRC and talked to some folks on #gnupg.  You use the gpg CLI interface to upload keys.  And there's no verification.  How can someone know that if they download a key for wswartzendruber@gmail.com that it's really mine?

 

you'd generally, for any conversant with which authenticity is important, do a very manual key exchange, e.g. contact them in some way and say "hey, this is my key"

----------

## Bones McCracker

RTFM, PEBKAC-boy   :Razz: 

http://gnupg.org/gph/en/manual.html#AEN84

http://gnupg.org/documentation/index.en.html

----------

