Key selection order

Robert J. Hansen rjh at
Thu Jan 14 20:37:47 CET 2016

> Sure, but you have to bootstrap somehow.

That's when you ask your correspondent, "I need your certificate
fingerprint, please."  I don't see what the problem is.

> I'm not saying that we should all just blindly accept whatever the
> keyservers say, I just wanted to know whether there was anything useful
> that one could do with the current infrastructure when they _knew_ that
> they were already under attack.

And you've been told!  If you know you're being targeted by a malicious
actor, stop using TOFU and fall back to fingerprint verification.

Why are we still talking about this?

More information about the Gnupg-users mailing list