Fingerprints and Key-IDs - Was: [PATCH] avoid publishing the GnuPG version by default

ilf ilf at zeromail.org
Sat Aug 6 16:06:04 CEST 2016 

Daniel Kahn Gillmor:
> ilf, what are you asking for when you ask for removing the 
> "keyid-format" option altogether?

As always, dkg is right, and I need to be more precise. Fortunately, I 
can just quote you:

> I'm arguing here that short Key IDs and long Key IDs are actually 
> useless, and we should stop using them entirely where we can do so. We 
> certainly should not be exposing normal human users to them.

https://debian-administration.org/users/dkg/weblog/105

I assume that the option --keyid-format was first "widely" used to 
mitigate from --keyid-format "short" to "long" after the first 
collisions were shown in 2011. That was okay then.

https://web.archive.org/web/20160304064423/http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

But as dkg has argued in 2013, we should move away from --keyid-format 
"short" *and* "long". Which is why "none" was introduced and is now the 
default.

Currently, --keyid-format…

> …"none" does not show the key ID at all but shows the fingerprint in a 
> separate line.

This is good.

But "short" and "long" do *only* show the key ID, *and not* the 
fingerprint in a separate line. (Except if used with --fingerprint, 
which is what this does: 
https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf)

Surely this is not a desired behavior.

So I would propose:

1. Short term: Add "the fingerprint in a separate line" for all 
--keyid-format values.

2. Gradually deprecate the "keyid-format" option.

2.a. Mid term: Add a warning to stderr if keyid-format is explicitly set 
to anything but "none". Note this in release notes.

2.b. Long term: Remove the parameter entirely.

What do you think?

-- 
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160806/0fbbe46d/attachment.sig>

More information about the Gnupg-devel mailing list