Il 27/12/2016 22:09, Don Warner Saklad ha scritto: > What do you kind folks out there make of comments at > https://stallman.org/gpg.html > >"I'm told that key servers carry many phony keys claiming to be > mine. Here is info about which keys are really mine." > > >"Of course, to be really sure which key is mine, you need to get my > key fingerprint from me or follow a chain of signatures. If a phony > key appears to be signed by someone you trust, you should see what's > up with that person." > > > and 4th sentence from the top at > https://stallman.org > >"If you want to send me GPG-encrypted mail, do not trust key servers! > Some of them have phony keys under my name and email address, made by > someone else as a trick. See gpg.html for my real key." Why do you find it strange? Keyservers are just public write-only repositories that do not attempt to verify the keys. You have to verify the keys via the WoT (web of trust: "follow a chain of signatures"), or by other means ("see gpg.html for my real key"), and that's what Stallman says. Better do both: check that the chain identifies the key given in gpg.html (must be retrieved via https).
BYtE, Diego _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
