On 11 Oct 2012, at 09:57, Noah Slater wrote: > On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew <[email protected]> wrote: > >> >> You have to extend that assumption not only to our infrastructure but to >> every proxy that might come between us and a user, and that might >> substitute a trojan along with the trojan's own SHA1. >> > > The same reasoning holds for the .asc file.
Only if there are no WOT paths to improve confidence in it. And only if noone ever detects the imposter, which is a lot less likely with a trojan PGP key (someone in particular is being impersonated) than a checksum (owned by noone). -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
