This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: gpg ca-cert-file=[which file???]
On 7/15/17, Jim Garrison wrote:
> On 7/15/2017 11:40 AM, Lee wrote:
>> It seems a bit silly to be downloading pgp keys 'in the clear', so
>> after a bit of searching I think I want
>> keyserver hkps://whatever
>
> Public keys are intended to be public. Why do you think you need
> to encrypt them when downloading?
I had wireshark running when I got a new key via hpk:// and it was
straight http. What does that open me up to? I dunno, but it seems
like using TLS would be better than clear-text http.
So while I don't need to encrypt the public key when downloading, I do
want to have some confidence that the key I requested is the key I
got, that the server I specified is the server gpg was talking to,
that nothing was modified in transit, etc.
This is what got me started on the topic:
https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html
What can I do to reduce the chances of getting a fake key?
- keyid-format 0xlong
- use hkps:// and check the cert (keyserver-options check-cert=on)
- what else?
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple