Key selection order
lachlan at twopif.net
Thu Jan 14 17:58:22 CET 2016
Le 14 janv. 2016 17:30, "Robert J. Hansen" <rjh at sixdemonbag.org> a écrit :
> Fingerprint verification. An attacker can create a fraudulent
> certificate, but an attacker cannot (to the best of our knowledge)
> create a certificate that has an identical fingerprint to the real one.
Yes, of course. I'm just wondering whether there's anything that I can do
to increase the probability that a user who looks me up and emails me out
of nowhere will get the right key.
> And if you're concerned about this, then retrieve certificates based on
> fingerprints, not on email addresses.
This breaks the "look up key and then just use ToFU" workflow though, which
is what I was more worried about. You can't _guarantee_ that other users
will receive the same key, but it would be nice if there were some
possibility that a long-ago added key without an expiry date wouldn't be at
risk of being automatically chosen until the end of time.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users