undefined | Better HN

0 pointscwyers10y ago0 comments

Because someone can do a man-in-the-middle attack and intercept the right hash and replace it with another one. And how do you verify that the public key is trusted for the first time?

0 comments

antnisp10y ago

I was under the impression that you can have your key signed by a generally trusted CA.

technion10y ago

GPG has no central CAs, but relies on a "web of trust" situation. In reality, there's no one central that everyone trusts, so unless the keys are signed by some individual you personally trust, you're down to being reliant on getting valid keys.

j / k navigate · click thread line to collapse

0 pointscwyers10y ago0 comments

Because someone can do a man-in-the-middle attack and intercept the right hash and replace it with another one. And how do you verify that the public key is trusted for the first time?

0 comments

antnisp10y ago

I was under the impression that you can have your key signed by a generally trusted CA.

technion10y ago

j / k navigate · click thread line to collapse