On Mon, Sep 08, 2014 at 05:21:09PM -0300, Giancarlo Razzolini wrote: > The ssh fingerprints are only available on a non ssl web page.
Lots of people use CVS over SSH to update their systems, and thus already have fingerprints saved in their known_hosts file. In addition to checking multiple TLS-protected sites, which I previously mentioned, this is about as good as it gets. One can't ask for more. > But with no DNSSEC you incur on the same issue, of having to access the > anoncvs page from many places/proxies/tor/etc to see if the ssh > fingerprint match. This thread is about verifying signify pubkeys, not DNSSEC. DNSSEC is an unencrypted protocol that relies on RSA-1024 and governments. It's horribly complex, and I can't tell if it's a make-work program (incompetent) or Project Bullrun (malicious). Maybe both, which is why the US govt likes it so much. Anyway, in my previous post I shared several good methods for verifying the 5.5 base key, as well as the key itself, and any one of the thousands of people on this mailing list can pipe up to say, "That's not the key I have!" That could be a hugely compelling and important moment -- and if it happens then perhaps there's more to say on the issue. Nicolai
