28 Oct
2012
28 Oct
'12
8:38 p.m.
On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:
In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed).
This is PGP's security model, so it's probably better to use PGP keys.