>>> gpg signed attestations, e.g. see up front of my site, https://psg.com >> >> Not sure if that helps at all - the CA is an invalid certificate and would >> be expired even if the validity dates were correct. That doesn't indicate >> proper cert handling... >> > >And if it was SSH, how would we ever truly verify that public key.
I'm not Randy, and I rarely look at SSH keys, but I do note that the bogus CA doesn't matter, since the file you download contains a PGP signature you can verify. Well, you can if you believe that the key with ID EA37E360 belongs to Randy. Perhaps I'll ask him when I see him in Dallas. R's, John _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography