On Lu, 02 iul 12, 17:21:39, anotst01@fastmail.fm wrote: > > Posting gpg signing keys works for many other websites. How it works and > how I suggest... > - Go to https://some-project-website.com. > - Some root CA vouches for the identity of some-project-website.com. > - The author posts his gpg public key (fingerprint) somewhere on > https://some-project-website.com. > - The root CA proofes that the gpg public key belongs to the admin of > some-project-website.com. (Possible breach in server security or root > CA.) > - The fingerprint was authenticated over SSL and at least the root CA > vouched for it, better than no one. No it is not authenticated. If someone breaks into the webserver and replaces the fingerprint you would not notice it. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature