On Wed,  1 Feb 2023 16:51, Martin said:

> It just seemed like a contradiction to me if a key for security
> reasons should be downloaded from a website with an insufficient
> certificate ;-)

That is not really a matter.  X.509 certificates as well as PGP keys are
self-contained.  All OpenPGP applications check the integrity of newly
imported keys.

However, only the integrity can be checked but not whether the key
actually belongs to the entity it claims it belongs to (validity or
trust).  Thus you either need to verify the fingerprint of the key or
use signature on the key issued by keys you already validated (cf. Web
of Trust, trusted introducer).


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

Attachment: openpgp-digital-signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to