Subject: Re: cgd and remote keys
To: None <>
From: David Holland <>
List: tech-security
Date: 12/31/2007 22:38:26
On Mon, Dec 31, 2007 at 03:54:35PM -0500, Perry E. Metzger wrote:
 > > I would lean towards pgp-encrypted keys fetched using something like
 > > curl, because that way you get the most flexibility in the transport
 > > and all you need to host the keys is a web server. With proper use of
 > > pgp (and possibly additional nonces to prevent replay attacks) it
 > > should be safe to use plain http.
 > Minor comment: no reason to use curl -- NetBSD's ftp will fetch URLs...

Yeah, I was originally thinking in terms of SSL, for which one does
(AFAIK) need curl or something of the sort, then designed it out.

Still wants to be arranged so it can use stuff from pkgsrc, though.

David A. Holland