Key selection order

[Robert J. Hansen]

> Sure, but you have to bootstrap somehow.

That's when you ask your correspondent, "I need your certificate
fingerprint, please."  I don't see what the problem is.

> I'm not saying that we should all just blindly accept whatever the
> keyservers say, I just wanted to know whether there was anything useful
> that one could do with the current infrastructure when they _knew_ that
> they were already under attack.

And you've been told!  If you know you're being targeted by a malicious
actor, stop using TOFU and fall back to fingerprint verification.

Why are we still talking about this?