Houston, we have a problem
Ralph Seichter
m16+gnupg at monksofcool.net
Thu Sep 21 21:59:26 CEST 2017
On 21.09.17 21:38, Stefan Claas wrote:
> The thing is someone could issue a fake sig3 from Heise's CA key to
> someone else's pub key, without that that customers would detect it,
> nor Heise would know it, until of course they would see the keys in
> question.
I'm not certain what problem you see that has not been around for as
long as PGP/GPG exists? You can only ever be certain of a signature if
you have personally verified the signing key and the signer's identity.
That's why the default owner trust level is "unknown" (not trusted).
-Ralph
More information about the Gnupg-users
mailing list