[jdev] Re: JEP-0027 (OpenPGP) implementation question

[Remko Troncon]

On 05 Mar 2006, at 18:26, Norman Rasmussen wrote:

> No, as I said: """as Michal pointed out any exchange of pgp/gpg keys
> in-band will be insecure. (e.g. using the same tcp connection).  The
> keyservers are the 'right' place to store and get this information."""

Retrieving keys from a keyserver is equally unsecure. I think there's  
a mixup between the issue of automatically exchanging keys, and  
actually asserting that the key is valid. The former requires no  
security at all and can therefore be automated, the latter requires  
extensive checking.

cheers,
Remko