On Mar 22, 2020, Florian Zieboll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Sun, 22 Mar 2020 08:02:51 -0400
> Dan Purgert <dan@???> wrote:
>
> > On Mar 21, 2020, Adrian Zaugg wrote:
> >
> > > Please get your keys always over secured connections. Use https.
> >
> > The entire point of the public key is that it can be obtained over any
> > insecure medium, and still provide the correct signature verification.
>
>
> Hallo Dan,
>
> please re-check what you wrote here - I am sure that you have been
> confused. Let me correct your statement:

I meant what I said.

You getting my pgp key (8e11ddf31279a281) from https://mysite has no
inherent benefit over getting it from http://mysite. Or likewise,
getting "notDansRealKey" from "https://notmysite" doesn't actually
protect you.

Your trust in my key (and therefore, my signature) should not be founded
on _where_ you got it from, but your own personal web of trust made up
of (hopefully!) people you know and trust to do their due diligence for
confirming I am me. (Or in the specific case of the devuan signing key,
that the devuan key is actually owned by the team).

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281