changing the default for --keyid-format [was: Re: getting an encrypted file to show what public key was used]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 29 17:51:06 CEST 2012
On 05/29/2012 11:35 AM, Werner Koch wrote:
> Use
>
> gpg --keyid-format long --decrypt sensitive_file.gpg
>
> to see the non-abbreviated key ID as stored in the file. Use this to
> find the key on a server, etc.
i've seen a lot of these mistakes where people seem to think that 32-bit
keyids are somehow collision-resistant. For example:
https://lists.ubuntu.com/archives/uds-announce/2012-May/000234.html
Perhaps GnuPG should change the default of --keyid-format from "short"
to "long"? certainly, the 64-bit keyID itself is not as
collision-resistant as the full fingerprint, but it does raise the bar
for an attacker (and discourages users from just parrotting the 32-bit
keyid if they don't understand what they're looking at).
I think switching the default to "long" would be on balance a Good Thing.
What do other people think?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120529/225a2fa9/attachment.pgp>
More information about the Gnupg-users
mailing list