Em 04-02-2014 17:11, Daniel Cegiełka escreveu:
> 2014-02-04 Marc Espie <[email protected]>:
>
> wow!? really? And how can I be sure that the public key that I
> downloaded is exactly the same public key, which is stored on OpenBSD
> servers (MITM)? signify is a step in the right direction but does not
> fix anything. We need trusted key distribution (or verification) for
> signify - without it we will being stuck on the same shit (but
> successfully verified). best regards, Daniel
Daniel,
Your regards were expressed by many others, including me, both here
and on tech@. There is no solution for this problem. Unless you copy the
original key file from the machine it was created. There are some ways
to mitigate this though. DNSSEC is one of the things that can be done.
They mentioned on tech@, printing the keys on t-shirts. You can buy the
cd's. There is also TLS. I do download and verify things using many
internet links from different locations just to be sure I'm getting the
original version and it was not tampered along the way. You could do all
of these things. But ultimately you have to either trust or not. Your
mileage may vary.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
