On 7/15/17, Jim Garrison wrote: > On 7/15/2017 11:40 AM, Lee wrote: >> It seems a bit silly to be downloading pgp keys 'in the clear', so >> after a bit of searching I think I want >> keyserver hkps://whatever > > Public keys are intended to be public. Why do you think you need > to encrypt them when downloading?
I had wireshark running when I got a new key via hpk:// and it was straight http. What does that open me up to? I dunno, but it seems like using TLS would be better than clear-text http. So while I don't need to encrypt the public key when downloading, I do want to have some confidence that the key I requested is the key I got, that the server I specified is the server gpg was talking to, that nothing was modified in transit, etc. This is what got me started on the topic: https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html What can I do to reduce the chances of getting a fake key? - keyid-format 0xlong - use hkps:// and check the cert (keyserver-options check-cert=on) - what else? Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
