On 11/8/13 3:02 PM, Brent Putman wrote: > But IMHO they shouldn't be doing what they are doing in any case. Of course, as others have said already, this isn't really secure anyway unless and until they sign their metadata and you then configure to verify the signature. Or else arrange to receive the metadata in some other secure out-of-band manner.