How to find and verify a trust path?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 18 22:20:18 CEST 2013
On 09/18/2013 04:14 PM, Philip Jägenstedt wrote:
> Yeah, that sounds like a useful approach. If I assume that the Wayback
> Machine isn't part of a conspiracy against me, then I could use it to
> check what signing keys were listed on gnupg.org in the past:
>
> http://web.archive.org/web/20070610103602/http://www.gnupg.org/signature_key.en.html
Given that the above link is cleartext (http instead of https), you're
also trusting every machine connected to the network path between you
and web.archive.org to not imperceptibly MITM your connection.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130918/a6c790d4/attachment-0001.sig>
More information about the Gnupg-users
mailing list