Thanks once again. This might be a tangential discussion but can you tell me why key requests over TLS are pointless? In building a secure environment ground-up, ensuring that the basic infrastructure (public keys et al) was pristine to begin with is a very important requirement. If the key is served over http, it is possible that the base copy was mangled with when it was first downloaded. Any perl modules that are later verified with this potentially mangled public key become questionable since we don’t know that the key was pristine to begin with. Please tell me if I’m understanding this incorrectly.
Abhijith On 7/19/14, 4:53 PM, "Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯" <da...@cpan.org> wrote: >> where it fetches the public key from? > >From the configured >[SKS](http://enwp.org/Key_server_%28cryptographic%29#External_links): > > $ ack ^keyserver ~/.gnupg/gpg.conf > keyserver hkp://keys.gnupg.net > keyserver-options auto-key-retrieve verbose no-include-revoked > >It does not really matter. The servers sync their databases regularly. >The hostname keys.gnupg.net is a DNS round-robin pool. > >> key server supports secured key requests over TLS? > >No, that's pointless.
