On Wed, Sep 18, 2013 at 10:20 PM, Daniel Kahn Gillmor <[email protected]> wrote: > On 09/18/2013 04:14 PM, Philip Jägenstedt wrote: >> Yeah, that sounds like a useful approach. If I assume that the Wayback >> Machine isn't part of a conspiracy against me, then I could use it to >> check what signing keys were listed on gnupg.org in the past: >> >> http://web.archive.org/web/20070610103602/http://www.gnupg.org/signature_key.en.html > > Given that the above link is cleartext (http instead of https), you're > also trusting every machine connected to the network path between you > and web.archive.org to not imperceptibly MITM your connection.
Yes, of course I would need to check it from multiple networks, but even that is no guarantee, since the MITM could just be very close to web.archive.org. -- Philip Jägenstedt _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
