Key selection order

Robert J. Hansen rjh at
Thu Jan 14 17:27:40 CET 2016

> If so, suppose an attacker inserted a fake key with my details into an
> HKP keyserver.  What should I do?

First, recognize that this has likely already happened, and the world
hasn't ended.  :)  Look at how many certificates there are for
president at, for instance.

> Is there an obvious way to deal with this that I'm missing

Fingerprint verification.  An attacker can create a fraudulent
certificate, but an attacker cannot (to the best of our knowledge)
create a certificate that has an identical fingerprint to the real one.

And if you're concerned about this, then retrieve certificates based on
fingerprints, not on email addresses.

More information about the Gnupg-users mailing list