> Sure, but you have to bootstrap somehow.

That's when you ask your correspondent, "I need your certificate
fingerprint, please."  I don't see what the problem is.

> I'm not saying that we should all just blindly accept whatever the
> keyservers say, I just wanted to know whether there was anything useful
> that one could do with the current infrastructure when they _knew_ that
> they were already under attack.

And you've been told!  If you know you're being targeted by a malicious
actor, stop using TOFU and fall back to fingerprint verification.

Why are we still talking about this?


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to