Robert J. Hansen rjh at
Fri Jun 22 18:57:06 CEST 2012

On 6/22/2012 12:39 PM, vedaal at wrote:
> " trivially countered by
> simply listing the keysize together with the fingerprint."

This is, unfortunately, not a trivial fix.

Already people don't pay attention to proper validation because the idea
of checking the fingerprint is alien to them, they don't understand it,
don't understand why it's necessary.  Adding another step of "verify the
keysize, too" will just compound the problem.

If your solution takes the worst part of key validity checking and makes
it even worse, then that's not a fix: that's an emergency stopgap
measure while people move to a better cryptosystem, such as V4 keys.

If you want to call it a stopgap, sure, I'll agree with you.  But I
can't agree that what you're calling a "fix" actually fixes anything.

More information about the Gnupg-users mailing list