? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
ndk.clanbo at gmail.com
Tue Dec 27 22:54:23 CET 2016
Il 27/12/2016 22:09, Don Warner Saklad ha scritto:
> What do you kind folks out there make of comments at
> >"I'm told that key servers carry many phony keys claiming to be
> mine. Here is info about which keys are really mine."
> >"Of course, to be really sure which key is mine, you need to get my
> key fingerprint from me or follow a chain of signatures. If a phony
> key appears to be signed by someone you trust, you should see what's
> up with that person."
> and 4th sentence from the top at
> >"If you want to send me GPG-encrypted mail, do not trust key servers!
> Some of them have phony keys under my name and email address, made by
> someone else as a trick. See gpg.html for my real key."
Why do you find it strange?
Keyservers are just public write-only repositories that do not attempt
to verify the keys.
You have to verify the keys via the WoT (web of trust: "follow a chain
of signatures"), or by other means ("see gpg.html for my real key"), and
that's what Stallman says. Better do both: check that the chain
identifies the key given in gpg.html (must be retrieved via https).
More information about the Gnupg-users