On Wed, Sep 18, 2013 at 10:00 PM, NdK <[email protected]> wrote: > Il 17/09/2013 22:01, Philip Jägenstedt ha scritto: > >> That's fine, I'm just trying to figure out what others do to convince >> themselves that (e.g.) the GnuPG dist sig key is trustworthy-ish and >> if there are any tools to help with the boring bits. > I think "stability" is what most newbies (and probably experienced users > too) use. > > If the same "identity" keeps using the same key while relating with > different users, it's "trustworthy". So if I have CDs from some years > ago and OpenPGP is signed with the same key used today, I can be "sure > enough" it's not been tampered with and the new file is trustworthy. > > And often it's more important stability over "impossible" verifications > of "real life identity".
Yeah, that sounds like a useful approach. If I assume that the Wayback Machine isn't part of a conspiracy against me, then I could use it to check what signing keys were listed on gnupg.org in the past: http://web.archive.org/web/20070610103602/http://www.gnupg.org/signature_key.en.html -- Philip Jägenstedt _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
