How to find and verify a trust path?

Philip Jägenstedt philip at foolip.org
Wed Sep 18 22:58:04 CEST 2013


On Wed, Sep 18, 2013 at 10:20 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 09/18/2013 04:14 PM, Philip Jägenstedt wrote:
>> Yeah, that sounds like a useful approach. If I assume that the Wayback
>> Machine isn't part of a conspiracy against me, then I could use it to
>> check what signing keys were listed on gnupg.org in the past:
>>
>> http://web.archive.org/web/20070610103602/http://www.gnupg.org/signature_key.en.html
>
> Given that the above link is cleartext (http instead of https), you're
> also trusting every machine connected to the network path between you
> and web.archive.org to not imperceptibly MITM your connection.

Yes, of course I would need to check it from multiple networks, but
even that is no guarantee, since the MITM could just be very close to
web.archive.org.

-- 
Philip Jägenstedt



More information about the Gnupg-users mailing list