TOFU

Stefan Claas stefan.claas at posteo.de
Wed Jun 21 21:26:55 CEST 2017


On Wed, 21 Jun 2017 21:04:09 +0200, Peter Lebbing wrote:
> On 21/06/17 20:49, Peter Lebbing wrote:
> > which would still
> > be marginally safe until computers are much faster, and certainly
> > not a short ID which is utterly unsafe and has always been.  
> 
> Which *might* still be marginally safe. I haven't done any actual
> calculations, and I want to seriously dissuade anyone from verifying
> keys by their long key ID. Don't do it, kids! 64 bits can be brute
> forced, but perhaps it might still be quite some effort to get a
> working key with a colliding long ID.
> 
> I really should not have written it the way I did in the previous
> mail, it was very sloppy.

What i have learned is that i use with my (online) friends a separate
list with their name and fingerprint on, have let TOFU checked the
first couple of messages and then give them full trust with TOFU.
Since i have those contacts only sometimes, i think it's a good
procedure comparing a Good Signature's fingerprint on my monitor
with one from a paper list. (a copy of the paper list is also hidden
in a another place)

Regards
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitale Signatur von OpenPGP
URL: </pipermail/attachments/20170621/92c5ff4d/attachment.sig>


More information about the Gnupg-users mailing list