pyvpx: I know that is (was?) a thing. never done it myself
fIorz_: indeed, I haven't looked for that yet, but yeah, I thought something along the lines of listing the fingerprints in the web interface
brycec: SSHFP is what you're thinking of, and yeah it's only "trustworthy" if the domain is signed, and even then only if the resolver checks DNSSEC...
(In other words, all depending on your level of paranoia)
One might publish a fingerprint on the website, but then there's the whole entire trust chain, starting with DNSSEC and DNS in general, to SSL cert chain trust, to the website/host security itself and whether someone injected malicious content into an otherwise-official page.
fIorz_: well, sure, but it would certainly be strictly not worse than not having it :-)
and while the trust model of the x509 PKI certainly is questionable, it does do a pretty good job against local attackers
brycec: Regardless, sshfp verification is off by default (last I checked) so Most Users(tm) aren't going to benefit from it, not unless they already know about it or their system administrator does anyways. I don't say this as a reason not to bother using it, just to point out that Everything Is Awful(tm)
mercutio: i notice most people just delete a key when they see that prompt for changed fingerprint
s/most/some/
BryceBot: <mercutio> i notice some people just delete a key when they see that prompt for changed fingerprint
***: dj_goku has quit IRC (Ping timeout: 260 seconds)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
toeshred has quit IRC (Ping timeout: 244 seconds)
toeshred has joined #arpnetworks
fIorz_ is now known as fIorz
ben2 has joined #arpnetworks
ChanServ sets mode: +o ben2
mercutio has quit IRC (Ping timeout: 244 seconds)
neish_ is now known as neish
awyeah has quit IRC (Quit: ZNC - http://znc.in)
awyeah has joined #arpnetworks
ben2 is now known as mercutio
Lucifer333 has quit IRC (Quit: Leaving)
atmark has joined #arpnetworks