Key selection order

Lachlan Gunn lachlan at
Thu Jan 14 17:58:22 CET 2016

Le 14 janv. 2016 17:30, "Robert J. Hansen" <rjh at> a écrit :

> Fingerprint verification.  An attacker can create a fraudulent
> certificate, but an attacker cannot (to the best of our knowledge)
> create a certificate that has an identical fingerprint to the real one.

Yes, of course. I'm just wondering whether there's anything that I can do
to increase the probability that a user who looks me up and emails me out
of nowhere will get the right key.

> And if you're concerned about this, then retrieve certificates based on
> fingerprints, not on email addresses.

This breaks the "look up key and then just use ToFU" workflow though, which
is what I was more worried about.  You can't _guarantee_ that other users
will receive the same key, but it would be nice if there were some
possibility that a long-ago added key without an expiry date wouldn't be at
risk of being automatically chosen until the end of time.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160114/3069b91e/attachment.html>

More information about the Gnupg-users mailing list