Key selection order
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jan 14 20:37:47 CET 2016
> Sure, but you have to bootstrap somehow.
That's when you ask your correspondent, "I need your certificate
fingerprint, please." I don't see what the problem is.
> I'm not saying that we should all just blindly accept whatever the
> keyservers say, I just wanted to know whether there was anything useful
> that one could do with the current infrastructure when they _knew_ that
> they were already under attack.
And you've been told! If you know you're being targeted by a malicious
actor, stop using TOFU and fall back to fingerprint verification.
Why are we still talking about this?
More information about the Gnupg-users