> > Which means that if somebody is attacking you he will substitute both the > signature file and my key when you download it. So you gain very little, > unless you have some other trust path. > > Well, they should also hijack the connection with the keyserver site. While being the man in the middle in a HTTP connection (thus, the one used to download the freenet binaries) can be easy, hijacking a SSL/TLS protected one is hard. Oh, the HKP protocol used to transfer keys is cleartext too, being it over HTTP. Well. Please come to my house, show me your documents and the fingerprint of your public key.
Please. :) Oh, and come again after 2015. ;) > Trust is hard. Even if you pay money to "solve" the problem, there are lots > of cases of problems with paid for certs. > > Yup, some. But you will agree that the problematic scenarios with signed X509 certs are scarce and almost insignificant if compared to web-of-trust-based ones. By the way, how much would it cost "you" (I mean, to the community) a certificate that would last, let's say, for three years? Just curious, if you ever checked. Cheers! -- Fabio
_______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe