On Monday 06 March 2006 07:04, Norman Rasmussen wrote: > Agreed, gpg/pgp keys are 'supposed' to be inheriently strong, and > therefore no automatic retrieval/exchange should even/ever be done, > ever.
People are getting confused here.
There is *nothing* wrong with automatically retrieving the PGP keys, as Remko
just said. PGP public keys are supposed to be widely distributed, through
any means you want. In-band distribution is fine.
What *would* be wrong is automatically trusting all those keys that are
downloaded. A key might be automatically trusted, say if it's on the web of
trust due to being signed by other keys you already trust, but other than
that case a key should be marked as trusted manually.
TX
--
Email: [EMAIL PROTECTED]
Jabber ID: [EMAIL PROTECTED]
Web site: http://trypticon.org/
GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F A62C B8C7 BC8B 037E EA73
pgpej5nG4Y37k.pgp
Description: PGP signature
