On Fri, 27 Feb 2015 19:37, marcozehe...@mailbox.org said: > And here’s the other problem the main article in c’t mentions: Those > keys, although faked, were certified. They were certified by equally > faked keys which resemble keys that are quite well-known. So unless
Nope. According to the questions the author sent me prior to publishing this article, he only looked at listing presented by the keyserver and concluded that if the web pages tells self-signature the user id must be valid (e.g. that second user id on the c't PGP CA). Now we all know that keyservers don't do crypto. As soon as you import that key the user ids with the faked self-signature are simply ignored and a listing by gpg won't show them. To avoid that in the future, the signature listing from the keyservers may add a note about this. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
