German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at
Sun Mar 1 18:08:57 CET 2015

Hash: SHA512

On 03/01/2015 06:01 PM, Marco Zehe wrote:
> Hi Kristian,
>> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand 
>> <kristian.fiskerstrand at>:
>> Since the author's first reaction was closing it WONTFIX I didn't
>>  bother, with that kind of behavior they can't possibly take 
>> security seriously.
> Error in judgement that has since been corrected. These things 
> sometimes happen, but this should definitely not be generalized.

fair enough, but it does tell something about culture that it happens,
even if corrected.

>> (ii) Ditto for the issue of replacing the subkeys, as key
>> rotation would not be automatically taken into consideration and
>> would have to be uploaded manually to each bugzilla
>> implementation using that flawed piece of software (the
>> securemail extension, not bugzilla itself).
> Yes, these instances are all acting independently, there is no 
> exchange between totally unrelated Bugzilla instances.

And there shouldn't be interaction between the various bugzilla
instances, but there should be lookups to keyserver networks
(preferably to a locally controlled keyserver to avoid certain
information leakages, but that is another matter). In my own case I'm
on some 10-15 bugzillas, with at least an annual rotation of the
encryption subkey of my main key, meaning I have to manually update
the key in these instances (that currently involve manual key
splitting and pasting non-conforming OpenPGP data) on the bugzillas
that have enabled it. Another issue with the current implementation,
btw, is that there is no way to define group based keys (see gpg's
- --group) , so aliases can't be used e.g. for an alias such as
security at participant.invalid, this should be integrated into the
already existing group restriction possibility in bugzilla), which
ironically will send unencrypted email messages fondly even though
something is restricted...

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Veni vidi velcro
I came, I saw, I got stuck


More information about the Gnupg-users mailing list