When being asked to trust a public key, also provide free-form metadata which the truster can use to help verify it, for example in the SSH key fingerprint verification prompt. "Go to room XYZ and talk to the sysadmin who can verify it." "Here's a URL to a video of the person reading the key fingerprint" which you can trust assuming video can't be faked. "Here's a URL to a trusted website giving the key fingerprint."
Some day, this metadata can be used to deploy the One True PKI solution, as soon as someone invents it.
SSH host keys
PGP keys
Self-signed Web certificates
No comments :
Post a Comment