On 3/5/06, Remko Troncon <[EMAIL PROTECTED]> wrote: > On 05 Mar 2006, at 13:38, Norman Rasmussen wrote: > > yea, I've considered adding a button to Psi to do this many times. > A solution which doesn't require a button would be to use PEP to > publish your key. >
No, as I said: """as Michal pointed out any exchange of pgp/gpg keys in-band will be insecure. (e.g. using the same tcp connection). The keyservers are the 'right' place to store and get this information.""" If someone has hi-jacked your xmpp session, then they can very easily return whatever public key they want. Doing the key retrieval out-of-band means extra dns requests, and connecting to a diferent server, all resulting in more work for 'the bad guys' and adding extra layers of security. This isn't to say that someone could hi-jack your entire internet connection, and redirect the keyserver connection too, but it does make their life harder. -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
