FAQ maintenance

Thu Feb 25 19:20:28 CET 2016

On 25/02/16 19:11, Robert J. Hansen wrote:
> If an attacker can control your gpg.conf file, there are so many worse
> things to do that it's hard for me to take this seriously.

I never, ever, once, argued the opposite. I sure hope you're not implying I am,
or that Kristian is. If you recall, I talked about public keys being attached to
e-mail messages, adding as a mitigating factor that your own key would probably
be earlier on the keyring. By now, we can add the mitigating factor that GnuPG
will bork on the key import. Plus, as was already established, the rather major
fact that as far as we know, nobody has pulled off a second-preimage attack
against a long keyID.

But take things as seriously as you see fit. As I indicated, this is more of the
variety of "what is prudence in user education", not "oh my God they are
H4xx0rzing our keez".

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>