On Wed, 1 Feb 2023 16:51, Martin said: > It just seemed like a contradiction to me if a key for security > reasons should be downloaded from a website with an insufficient > certificate ;-)
That is not really a matter. X.509 certificates as well as PGP keys are self-contained. All OpenPGP applications check the integrity of newly imported keys. However, only the integrity can be checked but not whether the key actually belongs to the entity it claims it belongs to (validity or trust). Thus you either need to verify the fingerprint of the key or use signature on the key issued by keys you already validated (cf. Web of Trust, trusted introducer). Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users