Anthony Carrico wrote: > I seem to remember that somebody from Vague, and in my PGP web of trust, > was associated with CaCert (John Campbell?). If that is true, and you > have the fingerprints from a secure source, it would be nice if you > could confirm them with your sig. That might be useful for others on the > Vague list too. > > Hope I'm barking up the right tree here. Thank you!
Replying to my own message... I just renewed an expired cert, and the renewal email from CaCert included their root cert fingerprints (which match), so there is a second source (not secure, but somewhat independent of the first). I checked and noticed that the renewal email from last year also includes the same fingerprints. Earlier years don't. If that particular avenue happens to be compromised, the attack would need to have been on since last year. Anyway, if anyone cares, that is three matching snapshots of the fingerprint which I have seen. -- Anthony Carrico
signature.asc
Description: OpenPGP digital signature
