Please test :)
David Shaw
dshaw at jabberwocky.com
Sat Aug 15 06:19:37 CEST 2009
On Aug 14, 2009, at 2:46 PM, Todd Zullinger wrote:
> David Shaw wrote:
>> There is also a check-cert / no-check-cert option to enable checking
>> or not. It's actually a bit of a question whether the default
>> should be to check or not to check (it's currently defaulting to
>> check). Usually, you'd want to check by default, but in the case of
>> OpenPGP keys, the keys are not validated by the keyserver anyway.
>
> This is one of those potential bike shed topics. :)
>
> While the keyserver doesn't validate the keys, if someone is using
> hkps:// it may well be to provide privacy and security for which keys
> they are looking up. If the cert is not checked the user cannot be
> sure the keyserver they are connecting to is the legitimate site which
> they trust. To me, it seems like checking is the more reasonable
> default.
I agree (note that the default is to check, for both hkps and ldaps).
While we cannot know the reason why someone is using hkps (rather than
hkp), it is generally healthy to default to the more secure setting
unless there is a clear reason not to. Those who don't want cert
checking can always turn it off.
David
More information about the Gnupg-devel
mailing list