[jdev] Re: JEP-0027 (OpenPGP) implementation question
Trejkaz
trejkaz at trypticon.org
Sun Mar 5 15:08:49 CST 2006
On Monday 06 March 2006 07:04, Norman Rasmussen wrote:
> Agreed, gpg/pgp keys are 'supposed' to be inheriently strong, and
> therefore no automatic retrieval/exchange should even/ever be done,
> ever.
People are getting confused here.
There is *nothing* wrong with automatically retrieving the PGP keys, as Remko
just said. PGP public keys are supposed to be widely distributed, through
any means you want. In-band distribution is fine.
What *would* be wrong is automatically trusting all those keys that are
downloaded. A key might be automatically trusted, say if it's on the web of
trust due to being signed by other keys you already trust, but other than
that case a key should be marked as trusted manually.
TX
--
Email: trejkaz at trypticon.org
Jabber ID: trejkaz at trypticon.org
Web site: http://trypticon.org/
GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F A62C B8C7 BC8B 037E EA73
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20060306/c4830430/attachment-0002.pgp>
More information about the JDev
mailing list