changing the default for --keyid-format [was: Re: getting an encrypted file to show what public key was used]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue May 29 17:51:06 CEST 2012


On 05/29/2012 11:35 AM, Werner Koch wrote:
> Use 
> 
>    gpg --keyid-format long --decrypt sensitive_file.gpg
> 
> to see the non-abbreviated key ID as stored in the file.  Use this to
> find the key on a server, etc.

i've seen a lot of these mistakes where people seem to think that 32-bit
keyids are somehow collision-resistant.  For example:

 https://lists.ubuntu.com/archives/uds-announce/2012-May/000234.html

Perhaps GnuPG should change the default of --keyid-format from "short"
to "long"?  certainly, the 64-bit keyID itself is not as
collision-resistant as the full fingerprint, but it does raise the bar
for an attacker (and discourages users from just parrotting the 32-bit
keyid if they don't understand what they're looking at).

I think switching the default to "long" would be on balance a Good Thing.

What do other people think?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120529/225a2fa9/attachment.pgp>


More information about the Gnupg-users mailing list