FAQ maintenance

Peter Lebbing peter at digitalbrains.com
Fri Feb 5 13:22:51 CET 2016


On 05/02/16 13:06, Robert J. Hansen wrote:
> What's the justification?


If somebody can create a long-keyID-collision, and you download your own key by
that key ID and also import the other one, they might be able to be the one that
gets "encrypted-to", I think? Another way to get on your keyring is when someone
attaches "their" public key to an e-mail and you click import.

If I just specify a key ID as encrypt-to in my gpg.conf, I don't get a warning
like "It is NOT certain that the key belongs to the person", it just encrypts to
a key with unknown validity without giving so much as a peep! So the usual
"collisions are not a problem because the key is invalid" doesn't apply. You're
stuck with the much weaker "your own key will probably be first in the keyring,
so it will use that". I don't feel comfortable with such a weak assurance.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list