Hi, as keyserver spoofing and poisoning has been a concern, I decided to test
it by downloading the same key from the same keyserver at different times and
from different locations.
When I exported the resulting keys using ascii the files were significantly
different, 3k difference in file sizes. Is this expected?
All the keys have the same fingerprint and the same subkeys. All the keys
successfully verify a good signature from the source address.
To account for differences in software version I imported each into a single
machine, rexported, then deleted the imported key and followed the same process
with the next key, so each key was exported using the same software version.
They are still different from each other and identical with the original. Is
there any explanation for this?
Sent with [ProtonMail](https://protonmail.com) Secure Email.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
