Public keys stored on different server
Werner Koch
wk at gnupg.org
Wed Feb 1 17:45:04 CET 2023
On Wed, 1 Feb 2023 16:51, Martin said:
> It just seemed like a contradiction to me if a key for security
> reasons should be downloaded from a website with an insufficient
> certificate ;-)
That is not really a matter. X.509 certificates as well as PGP keys are
self-contained. All OpenPGP applications check the integrity of newly
imported keys.
However, only the integrity can be checked but not whether the key
actually belongs to the entity it claims it belongs to (validity or
trust). Thus you either need to verify the fingerprint of the key or
use signature on the key issued by keys you already validated (cf. Web
of Trust, trusted introducer).
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230201/2f6fa2d6/attachment.sig>
More information about the Gnupg-users
mailing list