Hello, I haven’t heard any response regarding this.. Just wanted to bring it back to the forefront and check if anyone knew about the reason why secured key requests aren’t provisioned?
Thanks, Abhijith On 7/20/14, 4:58 PM, "Abhijith Chandrashekar" <abhijith.chandrashe...@citrix.com> wrote: >Thanks once again. This might be a tangential discussion but can you tell >me why key requests over TLS are pointless? In building a secure >environment ground-up, ensuring that the basic infrastructure (public keys >et al) was pristine to begin with is a very important requirement. If the >key is served over http, it is possible that the base copy was mangled >with when it was first downloaded. Any perl modules that are later >verified with this potentially mangled public key become questionable >since we don’t know that the key was pristine to begin with. Please tell >me if I’m understanding this incorrectly. > >Abhijith > >On 7/19/14, 4:53 PM, "Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯" <da...@cpan.org> wrote: > >>> where it fetches the public key from? >> >>From the configured >>[SKS](http://enwp.org/Key_server_%28cryptographic%29#External_links): >> >> $ ack ^keyserver ~/.gnupg/gpg.conf >> keyserver hkp://keys.gnupg.net >> keyserver-options auto-key-retrieve verbose no-include-revoked >> >>It does not really matter. The servers sync their databases regularly. >>The hostname keys.gnupg.net is a DNS round-robin pool. >> >>> key server supports secured key requests over TLS? >> >>No, that's pointless. >
