Key selection order
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jan 14 17:27:40 CET 2016
> If so, suppose an attacker inserted a fake key with my details into an
> HKP keyserver. What should I do?
First, recognize that this has likely already happened, and the world
hasn't ended. :) Look at how many certificates there are for
president at whitehouse.gov, for instance.
> Is there an obvious way to deal with this that I'm missing
Fingerprint verification. An attacker can create a fraudulent
certificate, but an attacker cannot (to the best of our knowledge)
create a certificate that has an identical fingerprint to the real one.
And if you're concerned about this, then retrieve certificates based on
fingerprints, not on email addresses.
More information about the Gnupg-users