From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 108232 invoked by alias); 15 Jul 2017 20:34:52 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 105978 invoked by uid 89); 15 Jul 2017 20:34:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy=UD:torproject.org, checkcert, check-cert, sk:keyserv X-HELO: mail-vk0-f41.google.com Received: from mail-vk0-f41.google.com (HELO mail-vk0-f41.google.com) (209.85.213.41) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 15 Jul 2017 20:34:50 +0000 Received: by mail-vk0-f41.google.com with SMTP id r125so61408282vkf.1 for ; Sat, 15 Jul 2017 13:34:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=fjkfopPQKHsDPEirqSEbTW2XYTCavxySS0mYsPNigOs=; b=QwwCqYqmnDXTebzfzaw29v2sWrDmZ0PolVesPwNUEqttG+YQwMgKJtRv7F7V86wRrl 54gIc/PJjc5+xEj1mYtwVIlf9SUL7063ddXsW5rajqNgla/+WGiG9qNrQSkgVi3kJtrF H5ew252+Q+nQ5LZTMtAiw6rSRt31KPkLcdHPLUAQsaDmwzkq6DYJ+o97XcExgxV+aHJ0 1/1+GTzAKoV4CqNlvzsP9HXX0SyljxvBTy37BbpJ9dWkD8keP6wX006YiZmmFxd+7qed 9T4srH8Cm8w2zRjTlm21jvOxG7rCIXbuZ3w1XS2OmRmosgXaCNFTtnOr60CAKbFTpV25 PECA== X-Gm-Message-State: AIVw111y3QNIUHqlo4yZRd1Hcd8d9i2+ToIzpwPfzLhTdM2hehCv0ge/ qvVAw7Wg2E1dK+QFPyg8O8iupBVv5g== X-Received: by 10.31.182.5 with SMTP id g5mr8775896vkf.151.1500150889091; Sat, 15 Jul 2017 13:34:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.139.202 with HTTP; Sat, 15 Jul 2017 13:34:48 -0700 (PDT) In-Reply-To: References: From: Lee Date: Sat, 15 Jul 2017 23:07:00 -0000 Message-ID: Subject: Re: gpg ca-cert-file=[which file???] To: jhg@acm.org, Jim Garrison , cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2017-07/txt/msg00241.txt.bz2 On 7/15/17, Jim Garrison wrote: > On 7/15/2017 11:40 AM, Lee wrote: >> It seems a bit silly to be downloading pgp keys 'in the clear', so >> after a bit of searching I think I want >> keyserver hkps://whatever > > Public keys are intended to be public. Why do you think you need > to encrypt them when downloading? I had wireshark running when I got a new key via hpk:// and it was straight http. What does that open me up to? I dunno, but it seems like using TLS would be better than clear-text http. So while I don't need to encrypt the public key when downloading, I do want to have some confidence that the key I requested is the key I got, that the server I specified is the server gpg was talking to, that nothing was modified in transit, etc. This is what got me started on the topic: https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html What can I do to reduce the chances of getting a fake key? - keyid-format 0xlong - use hkps:// and check the cert (keyserver-options check-cert=on) - what else? Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple