

Ask HN: How can I trust a site's .asc key to not be compromised? - hellbanner

Many websites and authors put their public key on their site.<p>But how can I trust that the .ASC file is not compromised by say, one of the certificate companies?
======
misterdata
Well basically, you can't as long as you're loading the web page over an
insecure connection. If the .asc is loaded over SSL, then verifying the
certificate should be sufficient.

~~~
sarciszewski
Even then, you should also verify it out-of-band (e.g. compare full
fingerprints over OTR with someone you trust who has previously saved the same
.asc file)

~~~
misterdata
Agreed, depending on how paranoid you are. The server serving the .asc file
over SSL could still be compromised (among other things). Similarly you are
unable ascertain that recipient's private key isn't compromised either, or
recipient is forced to decrypt, et cetera.

