Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild

To: debian-devel@lists.debian.org
Subject: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
From: Samuel Thibault <sthibault@debian.org>
Date: Wed, 10 Aug 2016 15:44:14 +0200
Message-id: <[🔎] 20160810134414.GO20126@var.home>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 8db4d32d-183c-0ebe-ad40-415354b16d9e@iwakd.de>
References: <[🔎] 20160809224743.GZ6224@var.home> <[🔎] 20160810102609.GA11598@layer-acht.org> <[🔎] 22443.1121.66705.655304@chiark.greenend.org.uk> <[🔎] 2ee796d3a04f9a124dfb28c796d19049@mail.adam-barratt.org.uk> <[🔎] 22443.5699.799458.307480@chiark.greenend.org.uk> <[🔎] 0811b532911f19a276f1d5370346f979@mail.adam-barratt.org.uk> <[🔎] 22443.8657.418506.957104@chiark.greenend.org.uk> <[🔎] 20160810131948.GA20126@var.home> <[🔎] 8db4d32d-183c-0ebe-ad40-415354b16d9e@iwakd.de>

Christian Seiler, on Wed 10 Aug 2016 15:37:43 +0200, wrote:
> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> > Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> >> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild"):
> >>> [explanation]
> >>
> >> Thanks.
> >>
> >> I don't know what side of this (one) line such a proposed gpg change
> >> falls.  I still think it's unsatisfactory that our stable release has
> >> a default behaviour which cannot be used safely.
> > 
> > Well, I'd argue that 64bit IDs are not safe either, they have not been
> > made to be.
> 
> Can we even consider key fingerprints safe in the long run?

Well, I'd say that in the end people *have* to cryptographically check
the signatures, and not trust fingerprints.

Thinking about it, I'd say we could even instead *shorten* the default
ID to 16bit, so that people will hopefully simply just not trust them at
all. For practical uses, 16bit hashing is enough to manage one's public
keyring.

Samuel

Reply to:

Follow-Ups:
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Christian Seiler <christian@iwakd.de>

References:
- Re: Key collisions in the wild
  - From: Samuel Thibault <sthibault@debian.org>
- use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Holger Levsen <holger@layer-acht.org>
- use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Samuel Thibault <sthibault@debian.org>
- Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Next by Date: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Previous by thread: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Next by thread: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Index(es):
- Date
- Thread