On 3/5/06, Remko Troncon <[EMAIL PROTECTED]> wrote: > > On 05 Mar 2006, at 18:26, Norman Rasmussen wrote: > > > No, as I said: """as Michal pointed out any exchange of pgp/gpg keys > > in-band will be insecure. (e.g. using the same tcp connection). The > > keyservers are the 'right' place to store and get this information.""" > > Retrieving keys from a keyserver is equally unsecure. I think there's > a mixup between the issue of automatically exchanging keys, and > actually asserting that the key is valid. The former requires no > security at all and can therefore be automated, the latter requires > extensive checking.
Agreed, gpg/pgp keys are 'supposed' to be inheriently strong, and therefore no automatic retrieval/exchange should even/ever be done, ever. If people want to implement automatic key exchange, they should be looking to implement JEP-0116 - it's actually far safer in terms of not being able to add and remove messages from conversations, additionally if the private key is ever compromised, then the messages can not be read. In fact anyone wanting to implement encrypted communications in their clients should be implementing JEP-0116, and _not_ JEP-0027 - is backwards compatability with older clients a good enough reason to implement something that's tricky to set up and get working with contacts on your roster? -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
