Keyserver/security bug 1447 (and 1446 too)
Werner Koch
wk at gnupg.org
Mon Dec 3 14:11:32 CET 2012
On Mon, 3 Dec 2012 13:01, jeanjacquesbrucker at gmail.com said:
> What I didn't understand, is that some are still trying to rely
> security with DNS (or DNSSEC sometime) and X509 certificates, when we
DNSSEC is actually not too bad - compared to PKIX.
However, we don't need to use the global PKIX but we can use the already
deployed software in a more simple but secure way. Instead of
specifying a CA file, we associate the fingerprint of a certificate with
a given keyserver or poolname and only use this fingerprint to validate
the root CA. Downloading the actual CA file could be automated; the
important part is that it is easy to enter the fingerprint in a conf
file.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list