On Mar 22, 2020, Florian Zieboll wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Sun, 22 Mar 2020 08:02:51 -0400 > Dan Purgert <d...@djph.net> wrote: > > > On Mar 21, 2020, Adrian Zaugg wrote: > > > > > Please get your keys always over secured connections. Use https. > > > > The entire point of the public key is that it can be obtained over any > > insecure medium, and still provide the correct signature verification. > > > Hallo Dan, > > please re-check what you wrote here - I am sure that you have been > confused. Let me correct your statement:
I meant what I said. You getting my pgp key (8e11ddf31279a281) from https://mysite has no inherent benefit over getting it from http://mysite. Or likewise, getting "notDansRealKey" from "https://notmysite" doesn't actually protect you. Your trust in my key (and therefore, my signature) should not be founded on _where_ you got it from, but your own personal web of trust made up of (hopefully!) people you know and trust to do their due diligence for confirming I am me. (Or in the specific case of the devuan signing key, that the devuan key is actually owned by the team). -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng