On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]

Ingo Klöcker kloecker at kde.org
Fri Mar 1 17:06:09 CET 2024

On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote:
> human-readable names for certificates.  But i don't see how to use that
> safely while dealing with GnuPG's risky implementation choices here.

Allowing recipients to be specified by email address (or some other part of a 
user ID) was inherited from PGP. And I guess it's part of the reason for the 
success of PGP (and GnuPG) that one could specify keys of recipients by email 
addresses instead of by hard to remember key IDs (when those could still be 
considered unique) or by impossible to remember fingerprints (or by file name as 
sequoia-pgp seems to prefer).

Calling this a risky implementation choice of GnuPG is ridiculous. If anything 
then it's a risky implementation choice of pass to allow using anything other 
than a fingerprint in ~/.password-store/.gpg-id.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240301/8be21993/attachment.sig>

More information about the Gnupg-users mailing list