> If the site is compromised, most bets are off sadly. Yes, for people who look only in one place, the manipulated web server. But that is the reason why the fingerprint has to pop up in different places where it is hard to fake. Even if this one user can be tricked, others can discover that the site is compromised if the fingerprint is independently recorded many times elsewhere.
BTW, pointing to a key server is not the way to convince anyone. A key server is a convenient way to get keys, not a tool to assure their authenticity. So I don't think that there is much of an alternative other than someone stepping in and provide some first-hand knowledge about the key. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
