How to find and verify a trust path?
philip at foolip.org
Wed Sep 18 22:14:40 CEST 2013
On Wed, Sep 18, 2013 at 10:00 PM, NdK <ndk.clanbo at gmail.com> wrote:
> Il 17/09/2013 22:01, Philip Jägenstedt ha scritto:
>> That's fine, I'm just trying to figure out what others do to convince
>> themselves that (e.g.) the GnuPG dist sig key is trustworthy-ish and
>> if there are any tools to help with the boring bits.
> I think "stability" is what most newbies (and probably experienced users
> too) use.
> If the same "identity" keeps using the same key while relating with
> different users, it's "trustworthy". So if I have CDs from some years
> ago and OpenPGP is signed with the same key used today, I can be "sure
> enough" it's not been tampered with and the new file is trustworthy.
> And often it's more important stability over "impossible" verifications
> of "real life identity".
Yeah, that sounds like a useful approach. If I assume that the Wayback
Machine isn't part of a conspiracy against me, then I could use it to
check what signing keys were listed on gnupg.org in the past:
More information about the Gnupg-users