On Tue, Sep 09, 2014 at 02:23:39AM +1200, Carlin Bingham wrote: > The keys have also been posted to the mailing list at least once (look > for a post by Theo in the thread "a half-baked analysis of the > verification chicken-and-egg problem, and request"). The mailing list is > mirrored by many different services (such as marc), so also comparing > the keys against the various mailing list mirrors would create > additional complexity for any organisation trying to MITM the keys you > receive.
Indeed. And don't forget keys posted on websites available over TLS, as well as the OpenBSD website, which is available via CVS over SSH. So there are existing, authenticated methods for verifying signify pubkeys. https://twitter.com/tedunangst/status/439308681176686592 https://github.com/libressl/libressl/blob/master/src/etc/signify/openbsd-55-base.pub untrusted comment: openbsd 5.5 base public key RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h Nicolai
