On Mar 22, 2020, Florian Zieboll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On Sun, 22 Mar 2020 08:02:51 -0400
> Dan Purgert <d...@djph.net> wrote:
> 
> > On Mar 21, 2020, Adrian Zaugg wrote:
> > 
> > > Please get your keys always over secured connections. Use https.  
> > 
> > The entire point of the public key is that it can be obtained over any
> > insecure medium, and still provide the correct signature verification.
> 
> 
> Hallo Dan,
> 
> please re-check what you wrote here - I am sure that you have been
> confused. Let me correct your statement: 

I meant what I said.

You getting my pgp key (8e11ddf31279a281) from https://mysite has no
inherent benefit over getting it from http://mysite.  Or likewise,
getting "notDansRealKey" from "https://notmysite"; doesn't actually
protect you.

Your trust in my key (and therefore, my signature) should not be founded
on _where_ you got it from, but your own personal web of trust made up
of (hopefully!) people you know and trust to do their due diligence for
confirming I am me. (Or in the specific case of the devuan signing key,
that the devuan key is actually owned by the team).

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Reply via email to