Hi. On Tue, Sep 09, 2014 at 01:09:17PM -0700, Tony Arcieri wrote: > If you have your key fingerprint published through many channels, someone > concerned with actually verifying your key fingerprint can check them all > to ensure they match. If there's a discrepancy, something is probably amiss. > What is missing, for me at least, in this statement is that the very same channel is used. Namely the Web via your Web browser. I consider this channel to be easily attackable plus the attack to subvert the proposed verification algorithm easily mountable. It's a mere 's/old_fingerprint/corrupted_fp/g' operation.
You might not have that attacker or threat model in mind when assessing the security of the proposed scheme. Some others do. Those people, as it has already been written, wouldn't want to depend solely on that scheme to verify keys. Cheers, Tobi _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
