Keyserver/security bug 1447 (and 1446 too)

Werner Koch wk at
Mon Dec 3 14:11:32 CET 2012

On Mon,  3 Dec 2012 13:01, jeanjacquesbrucker at said:
>  What I didn't understand, is that some are still trying to rely
>  security with DNS (or DNSSEC sometime) and X509 certificates, when we

DNSSEC is actually not too bad - compared to PKIX.

However, we don't need to use the global PKIX but we can use the already
deployed software in a more simple but secure way.  Instead of
specifying a CA file, we associate the fingerprint of a certificate with
a given keyserver or poolname and only use this fingerprint to validate
the root CA.  Downloading the actual CA file could be automated; the
important part is that it is easy to enter the fingerprint in a conf



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list