> Yes, of course. I'm just wondering whether there's anything that I can > do to increase the probability that a user who looks me up and emails me > out of nowhere will get the right key.
Tell them to look you up by fingerprint. Problem solved. > This breaks the "look up key and then just use ToFU" workflow... No, it breaks up the "grab a random certificate that claims to be mine and just use it" workflow, which is stupid, and isn't even what the TOFU advocates suggest. TOFU is built on trusting certificates that are used in received mail. If you receive a mail signed by 0xB44427C7, TOFU says "you should probably trust this is from r...@sixdemonbag.org." But if you don't already have the certificate, and you're looking for it on a keyserver, TOFU says "you should really pull it down by long key ID or fingerprint." _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
