X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; q=dns; s=default; b=h5n7owW 0qvjPuh+jgMLsbbL+4M5pGDfKbl3MclooBFpjWTtuikIq0OZ2W7f9FLfUtQxamqp FWb53yNhL6xkEEzhfvL8bIXFuizLhU7IIW31bYihlFS1xF2/WiOfFONqKe92XHIV H9aaIvWjhHAhY2w+aQE1OMOGbYnzTnwjbKlE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=default; bh=EjbwzLw58lSN7 zlsQ5uJrd3x7EA=; b=gZFtbaatIKpQSM5CP1bMvviAAvOPq4I/eRrJIXz4rvN5C bb+FS/66glreF4m6dSUBgc1N79cE+c2IfWbeHn7pExHMnAG+EHwvdtRMTStTV9hf z7q9h+5YKN/yn17hsaVXBffjFpNmA326n+c+an9P9/MQLvxgKea45Qw80VB/6o= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy=UD:torproject.org, checkcert, check-cert, sk:keyserv X-HELO: mail-vk0-f41.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=fjkfopPQKHsDPEirqSEbTW2XYTCavxySS0mYsPNigOs=; b=QwwCqYqmnDXTebzfzaw29v2sWrDmZ0PolVesPwNUEqttG+YQwMgKJtRv7F7V86wRrl 54gIc/PJjc5+xEj1mYtwVIlf9SUL7063ddXsW5rajqNgla/+WGiG9qNrQSkgVi3kJtrF H5ew252+Q+nQ5LZTMtAiw6rSRt31KPkLcdHPLUAQsaDmwzkq6DYJ+o97XcExgxV+aHJ0 1/1+GTzAKoV4CqNlvzsP9HXX0SyljxvBTy37BbpJ9dWkD8keP6wX006YiZmmFxd+7qed 9T4srH8Cm8w2zRjTlm21jvOxG7rCIXbuZ3w1XS2OmRmosgXaCNFTtnOr60CAKbFTpV25 PECA== X-Gm-Message-State: AIVw111y3QNIUHqlo4yZRd1Hcd8d9i2+ToIzpwPfzLhTdM2hehCv0ge/ qvVAw7Wg2E1dK+QFPyg8O8iupBVv5g== X-Received: by 10.31.182.5 with SMTP id g5mr8775896vkf.151.1500150889091; Sat, 15 Jul 2017 13:34:49 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: Lee Date: Sat, 15 Jul 2017 16:34:48 -0400 Message-ID: Subject: Re: gpg ca-cert-file=[which file???] To: jhg AT acm DOT org, Jim Garrison , cygwin AT cygwin DOT com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On 7/15/17, Jim Garrison wrote: > On 7/15/2017 11:40 AM, Lee wrote: >> It seems a bit silly to be downloading pgp keys 'in the clear', so >> after a bit of searching I think I want >> keyserver hkps://whatever > > Public keys are intended to be public. Why do you think you need > to encrypt them when downloading? I had wireshark running when I got a new key via hpk:// and it was straight http. What does that open me up to? I dunno, but it seems like using TLS would be better than clear-text http. So while I don't need to encrypt the public key when downloading, I do want to have some confidence that the key I requested is the key I got, that the server I specified is the server gpg was talking to, that nothing was modified in transit, etc. This is what got me started on the topic: https://lists.torproject.org/pipermail/tor-project/2017-July/001289.html What can I do to reduce the chances of getting a fake key? - keyid-format 0xlong - use hkps:// and check the cert (keyserver-options check-cert=on) - what else? Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple