On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
Ingo Klöcker
kloecker at kde.org
Fri Mar 1 17:06:09 CET 2024
On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote:
> human-readable names for certificates. But i don't see how to use that
> safely while dealing with GnuPG's risky implementation choices here.
Allowing recipients to be specified by email address (or some other part of a
user ID) was inherited from PGP. And I guess it's part of the reason for the
success of PGP (and GnuPG) that one could specify keys of recipients by email
addresses instead of by hard to remember key IDs (when those could still be
considered unique) or by impossible to remember fingerprints (or by file name as
sequoia-pgp seems to prefer).
Calling this a risky implementation choice of GnuPG is ridiculous. If anything
then it's a risky implementation choice of pass to allow using anything other
than a fingerprint in ~/.password-store/.gpg-id.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240301/8be21993/attachment.sig>
More information about the Gnupg-users
mailing list