> Sure, but you have to bootstrap somehow. That's when you ask your correspondent, "I need your certificate fingerprint, please." I don't see what the problem is.
> I'm not saying that we should all just blindly accept whatever the > keyservers say, I just wanted to know whether there was anything useful > that one could do with the current infrastructure when they _knew_ that > they were already under attack. And you've been told! If you know you're being targeted by a malicious actor, stop using TOFU and fall back to fingerprint verification. Why are we still talking about this? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users