Daniel Kahn Gillmor wrote: > guys, with all due respect, the original poster was not asking for a > philosophical digression. he was asking how he could practically > identify the provenance of the copy of gpg he was hoping to use.
John Clizbe answered, "[i]f you're so committed to this verified and signed thing that you're unwilling to trust anything, you should probably look into building some things of your own." My remark was a very serious warning: if the OP is so committed, my "philosophical digression" is what lies at the bottom of that rabbit-hole. > John Clizbe has offered one practical choice (see if PGP Corp. offers a > demo version with a signed executable). Active MitM assumes that you have an attacker who is technically skilled and highly motivated. It is ludicrous to think that an attacker skilled enough to do active MitM and motivated enough to go after you directly would for some reason be constrained to play within the carefully defined box the crypto community has created. Rule number one of successful attacks: get outside the box. If the OP is seriously concerned that there's an active MitM attack going on against him, he needs get off the internet and obtain the professional services he needs to end the threat. No, I'm not kidding. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
