On 2014-09-08, Giancarlo Razzolini <[email protected]> wrote: > The ssh fingerprints are only available on a non ssl web page. There are > SSHFP records for this. But with no DNSSEC you incur on the same issue, > of having to access the anoncvs page from many places/proxies/tor/etc to > see if the ssh fingerprint match.
Even with an ssl web page, you would have the same problem, unless you verify which CA issued the key and that you absolutely trust that they wouldn't issue a bogus certificate. btw: an easy way to check the key against an anoncvs server - $ cvs -d $CVSROOT -p src/etc/signify/openbsd-56-base.pub untrusted comment: openbsd 5.6 base public key RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
