Web lists-archives.com

Re: gpg ca-cert-file=[which file???]




On 7/15/17, Jim Garrison wrote:
> On 7/15/2017 11:40 AM, Lee wrote:
>> It seems a bit silly to be downloading pgp keys 'in the clear', so
>> after a bit of searching I think I want
>>   keyserver hkps://whatever
>
> Public keys are intended to be public. Why do you think you need
> to encrypt them when downloading?

I had wireshark running when I got a new key via hpk:// and it was
straight http.  What does that open me up to?  I dunno, but it seems
like using TLS would be better than clear-text http.

So while I don't need to encrypt the public key when downloading, I do
want to have some confidence that the key I requested is the key I
got, that the server I specified is the server gpg was talking to,
that nothing was modified in transit, etc.


This is what got me started on the topic:
https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html

What can I do to reduce the chances of getting a fake key?
 - keyid-format 0xlong
 - use hkps:// and check the cert (keyserver-options check-cert=on)
 - what else?

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple