On Wed, Jul 20, 2011 at 12:32:32PM +0200, markus schnalke wrote: > On 20 July 2011 11:06, Nick <suckless-...@njw.me.uk> wrote: > > But just downloading the key from a keyserver, even if it isn't > > trusted by your web of trust, is better than e.g. just > > distributing a hash, [...] > > The concept of PGP trust lies in the Web-of-Trust, nowhere else. If > you don't find a trust-path from you to the signing key, then the > signature does only provide the information of a checksum hash.
Yes. I was being slightly unreasonable in saying it was better. I only meant it's like a "hash with benefits", e.g. it does hashing, plus verification if you want / need it.
