On 27 August 2017 at 00:19, Mattias Andrée <maand...@kth.se> wrote: > The user's must be able to find the appropriate keys some way the first > time, so suckless must at least have links to them. If suckless is > compromised these can be replaced. PGP keys only ensure that future > keys are not fraudulent as all new key should be signed by the old keys. > SSL certificates ensures that the PGP keys are not tempered with by > anyone outside suckless. Thus, hosting the keys one suckless.org, when > it has HTTPS, is more secure that every ones private home pages outside > suckless.org that do not have SSL certificates.
Perhaps I'm old-fashioned, but in the older days there used to be the strategy to display your pgp fingerprint in mail signatures and lot's of other places, to ensure that during time and a high degree of footprint throughout the net, it would be a rather easy congnitive task to base trust on that. But I didn't notice this approach for a while and did stop it myself back in 2008 or so... BR, Anselm
