On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]

Jay Acuna mysidia at gmail.com
Sat Mar 2 07:02:59 CET 2024


On Fri, Mar 1, 2024 at 8:57 PM Daniel Kahn Gillmor via Gnupg-users
<gnupg-users at gnupg.org> wrote:

> I agree with you that it's nice to refer to people by human-memorable
> names.  I just wish it was safe to do so.

I would consider it is safe to do so.  It is in fact mostly the entire purpose
of GPG to identify the correct certificates to send messages for you.

If PGP did not choose the certificate for you, then it would just be
Openssl;  I.e.
it would not be useful for the very purpose of the software.

> > Calling this a risky implementation choice of GnuPG is ridiculous.
> Is it really ridiculous?  It seems factual to me.  Note that I'm not

It is not factual.

> For example, GnuPG could instead offer an interface with explicit
> options to allow the user to choose to match certificates by
> fingerprint, or by e-mail address, or by name, or by full User ID, but
> not a mishmash of all of the above.

No.. either you trust the authenticity of the certificate, including the
Email address, Name, and Full User IDs, or you don't.
If you trust the certificate, then it should be safe to match it based on
all the attributes.  If you own a certificate that should no longer be trusted,
then you should revoke it.

Trust is determined based on the chain of Certificate signatures, and
the contents
of your Key storage  indicating which certificate signers you trust.

If your Public Key storage is compromised so that is configured to
Trust certificates you should not,  then so is that whole PGP installation.

The Unsafe condition would be allowing yourself to have Public key storage
containing certificates or signers you should not trust marked trusted.

> > If anything then it's a risky implementation choice of pass to allow
> > using anything other than a fingerprint in ~/.password-store/.gpg-id.

Pass isn't part of GPG,  so  who knows whether what they are doing is
safe or not.

I would say inputting a full Key ID or e-mail address is safe enough.

If your GPG Installation is so badly damaged that you have Incorrect
keys marked trusted
in your public key storage,  then you should consider your whole
software installation compromised.

Software with a compromised installation  (damaged binaries or config)
would be inherently unsafe to use

-- 
-J



More information about the Gnupg-users mailing list