Re: So I received a gpg-signed email, can I trust it?

To: debian-devel@lists.debian.org
Subject: Re: So I received a gpg-signed email, can I trust it?
From: Jakub Wilk <jwilk@debian.org>
Date: Fri, 8 Jul 2016 16:57:14 +0200
Message-id: <[🔎] 20160708145703.GA7488@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] caceaee8-11d5-2bfa-852e-822083cac73b@debian.org>
References: <[🔎] 20160708092127.GA17962@enricozini.org> <[🔎] caceaee8-11d5-2bfa-852e-822083cac73b@debian.org>

* Simon Richter <sjr@debian.org>, 2016-07-08, 14:33:

given that it is now possible to generate arbitrary short key IDcollisions[1], and that it's now computationally feasible to at leastgenerate a pair of keys with colliding long key IDs, I'd like torethink practices and tools.
With the web of trust, in principle there shouldn't be a problem.
I have a valid trust path to Piotr's correct key. I don' have any tothe fake key, because no one I trust has signed a key from the evil32set

...yet.

Given that many crypto tools have --feel-free-to-shoot-me-in-the-foot asthe default, and some even don't have --do-not-shoot-me-in-the-foot asan option (see #800134), it's only a matter of time before someone slipsup.

Or maybe it's already happened? Check out debian-hiding-problems@, er, Imean debian-private@ archives.


--
Jakub Wilk

Reply to:

References:
- So I received a gpg-signed email, can I trust it?
  - From: Enrico Zini <enrico@enricozini.org>
- Re: So I received a gpg-signed email, can I trust it?
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: So I received a gpg-signed email, can I trust it?
Next by Date: Installer of Debian Stable allows to use btrfs for /, does it mean it's mature enough to use safely?
Previous by thread: Re: So I received a gpg-signed email, can I trust it?
Next by thread: Re: So I received a gpg-signed email, can I trust it?
Index(es):
- Date
- Thread