Le 14 janv. 2016 17:30, "Robert J. Hansen" <r...@sixdemonbag.org> a écrit :
> Fingerprint verification. An attacker can create a fraudulent > certificate, but an attacker cannot (to the best of our knowledge) > create a certificate that has an identical fingerprint to the real one. Yes, of course. I'm just wondering whether there's anything that I can do to increase the probability that a user who looks me up and emails me out of nowhere will get the right key. > And if you're concerned about this, then retrieve certificates based on > fingerprints, not on email addresses. This breaks the "look up key and then just use ToFU" workflow though, which is what I was more worried about. You can't _guarantee_ that other users will receive the same key, but it would be nice if there were some possibility that a long-ago added key without an expiry date wouldn't be at risk of being automatically chosen until the end of time. Thanks, Lachlan
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
