Questions about OpenPGP best practices

Daniel Kahn Gillmor dkg at
Tue Feb 26 19:36:38 CET 2013

On 02/26/2013 06:43 AM, Mark H. Wood wrote:
> That service presents a self-signed certificate (I checked), which
> means that if you do not already have a copy of that cert. installed in
> your browser and marked trusted, then it cannot be verified.

This is not correct.  As noted on the web site [0], the public key
associated with the X.509 certificate can be verified through the
OpenPGP web of trust.  It is certified by Kristian's own personal key.

If you know Kristian's personal key, you can verify the web site's
certificate on a debian system by using the msva-perl and
xul-ext-monkeysphere and iceweasel packages.



[0] and

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130226/8a92ebd4/attachment.pgp>

More information about the Gnupg-users mailing list