Subject: Re: cgd and remote keys
To: David Holland <>
From: Perry E. Metzger <>
List: tech-security
Date: 12/31/2007 15:54:35
David Holland <> writes:
> I would lean towards pgp-encrypted keys fetched using something like
> curl, because that way you get the most flexibility in the transport
> and all you need to host the keys is a web server. With proper use of
> pgp (and possibly additional nonces to prevent replay attacks) it
> should be safe to use plain http.

Minor comment: no reason to use curl -- NetBSD's ftp will fetch URLs...

> It sounds like a good idea overall.


Perry E. Metzger