changing the default for --keyid-format [was: Re: getting an encrypted file to show what public key was used]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 29 17:51:06 CEST 2012
On 05/29/2012 11:35 AM, Werner Koch wrote:
> gpg --keyid-format long --decrypt sensitive_file.gpg
> to see the non-abbreviated key ID as stored in the file. Use this to
> find the key on a server, etc.
i've seen a lot of these mistakes where people seem to think that 32-bit
keyids are somehow collision-resistant. For example:
Perhaps GnuPG should change the default of --keyid-format from "short"
to "long"? certainly, the 64-bit keyID itself is not as
collision-resistant as the full fingerprint, but it does raise the bar
for an attacker (and discourages users from just parrotting the 32-bit
keyid if they don't understand what they're looking at).
I think switching the default to "long" would be on balance a Good Thing.
What do other people think?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users