German ct magazine postulates death of pgp encryption
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Sun Mar 1 18:08:57 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 03/01/2015 06:01 PM, Marco Zehe wrote:
> Hi Kristian,
>
>> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand
>> <kristian.fiskerstrand at sumptuouscapital.com>:
>>
>> Since the author's first reaction was closing it WONTFIX I didn't
>> bother, with that kind of behavior they can't possibly take
>> security seriously.
>
> Error in judgement that has since been corrected. These things
> sometimes happen, but this should definitely not be generalized.
>
fair enough, but it does tell something about culture that it happens,
even if corrected.
>> (ii) Ditto for the issue of replacing the subkeys, as key
>> rotation would not be automatically taken into consideration and
>> would have to be uploaded manually to each bugzilla
>> implementation using that flawed piece of software (the
>> securemail extension, not bugzilla itself).
>
> Yes, these instances are all acting independently, there is no
> exchange between totally unrelated Bugzilla instances.
And there shouldn't be interaction between the various bugzilla
instances, but there should be lookups to keyserver networks
(preferably to a locally controlled keyserver to avoid certain
information leakages, but that is another matter). In my own case I'm
on some 10-15 bugzillas, with at least an annual rotation of the
encryption subkey of my main key, meaning I have to manually update
the key in these instances (that currently involve manual key
splitting and pasting non-conforming OpenPGP data) on the bugzillas
that have enabled it. Another issue with the current implementation,
btw, is that there is no way to define group based keys (see gpg's
- --group) , so aliases can't be used e.g. for an alias such as
security at participant.invalid, this should be integrated into the
already existing group restriction possibility in bugzilla), which
ironically will send unencrypted email messages fondly even though
something is restricted...
- --
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Veni vidi velcro
I came, I saw, I got stuck
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJU80ekAAoJEP7VAChXwav6hVkH/j4kbWapWqGC7ij1nYB6zG6d
dDFHwN7A7IsrIuXH4o/CZmdeidNB3lUk2KZ2woksa0XO+QRLwz34pZjTAdHUrJVe
C/vxELcBqoF6kBDBrOzKU7suT5at8rrTMVtUXviT1nZuu+SCW2TOxpWNAfuLyS9j
IDryaAot9CUPrarzclQfIn7VLMnH6aCPKDk5mli8mmdf0mD52YK7hHUWhYrQtXHF
egxOPnaaiYEy7P2mm3vaYboJWlezv+EIZ8Ly0czSSpVJ1ryrL/ps5tm8Z/9U2njC
QTnumYKa6cHeZtRLPYLQ56TeazifgYN+3ls9IAlcCn0ydOnlu7T2hK2Vsh8AEG4=
=B5DB
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list