On 161227-22:54+0100, NdK wrote: > Il 27/12/2016 22:09, Don Warner Saklad ha scritto: > > What do you kind folks out there make of comments at > > https://stallman.org/gpg.html > > >"I'm told that key servers carry many phony keys claiming to be > > mine. Here is info about which keys are really mine." > > > > >"Of course, to be really sure which key is mine, you need to get my > > key fingerprint from me or follow a chain of signatures. If a phony > > key appears to be signed by someone you trust, you should see what's > > up with that person." > > > > > > and 4th sentence from the top at > > https://stallman.org > > >"If you want to send me GPG-encrypted mail, do not trust key servers! > > Some of them have phony keys under my name and email address, made by > > someone else as a trick. See gpg.html for my real key." > Why do you find it strange? > Keyservers are just public write-only repositories that do not attempt > to verify the keys. > You have to verify the keys via the WoT (web of trust: "follow a chain > of signatures"), or by other means ("see gpg.html for my real key"), and > that's what Stallman says. Better do both: check that the chain > identifies the key given in gpg.html (must be retrieved via https). >
It's a different topic, but it might have the unreliability of keyservers for its justification: The fact that Github, since this outgoing year, accept gpg signing only if you post your public key to their servers. Or does it? Is it more like Github wants to collect and control? I know it was possible to: $ cd <your git project> $ git tag <version> -s $ git push --tags and all was there, signed and verifiable for everbody, without the need to have previously posted your own public key to github.com. Up until just last year, IIRC. Any ideas for true reasons behind that move? And is it an improvement, or quite the contrary? -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
