pgpfan:wtmwp
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
pgpfan:wtmwp [2022/01/18 21:59] – created b.walzer | pgpfan:wtmwp [2022/01/28 17:48] (current) – Was not accurate/logical in context. b.walzer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ======What’s the matter with PGP? --- Some Comments====== | + | ======What’s the matter with PGP? ― Some Comments====== |
This is somewhat older blog post (2014), but it shows up in internet discussions from time to time, usually posted without context. I have some observations... | This is somewhat older blog post (2014), but it shows up in internet discussions from time to time, usually posted without context. I have some observations... | ||
Line 13: | Line 13: | ||
Basically the idea here is that PGP keys are too long. We are invited to compare the length of the key used for a system called " | Basically the idea here is that PGP keys are too long. We are invited to compare the length of the key used for a system called " | ||
- | > | + | > |
>//Three public keys offering roughly the same security level. From top-left: (1) Base58-encoded Curve25519 public key used in miniLock. (2) OpenPGP 256-bit elliptic curve public key format. (3a) GnuPG 3,072 bit RSA key and (3b) key fingerprint.// | >//Three public keys offering roughly the same security level. From top-left: (1) Base58-encoded Curve25519 public key used in miniLock. (2) OpenPGP 256-bit elliptic curve public key format. (3a) GnuPG 3,072 bit RSA key and (3b) key fingerprint.// | ||
Line 30: | Line 30: | ||
B268 0152 E274 EDE5 53C3 7C80 F80F A811 DE73 D33B | B268 0152 E274 EDE5 53C3 7C80 F80F A811 DE73 D33B | ||
- | The OpenPGP "key fingerprint" | + | The OpenPGP "key fingerprint" |
Now the post complains about the behaviour of GnuPG: | Now the post complains about the behaviour of GnuPG: | ||
Line 43: | Line 43: | ||
- You might later notice the key that was actually downloaded and wonder where it came from. | - You might later notice the key that was actually downloaded and wonder where it came from. | ||
| | ||
- | As already clearly pointed out by the post a PGP public key is a separate entity. It could come from anywhere, not just a key server. So the normal practice is to add it to your keyring and then attempt to certify it as representing the identity of your correspondent. | + | As already clearly pointed out by the post a PGP public key is a separate entity. It could come from anywhere, not just a key server. So the normal practice is to add it to your keyring and then attempt to certify it as representing the identity of your correspondent. |
Then this: | Then this: | ||
- | > | + | > |
>//PGP Key IDs are also pretty terrible, due to the short length and continued support for the broken V3 key format.// | >//PGP Key IDs are also pretty terrible, due to the short length and continued support for the broken V3 key format.// | ||
- | A key ID is a sort of a nickname of a key fingerprint. By convention | + | A key ID is a sort of a nickname of a key fingerprint. By convention |
>//PGP key management sucks// | >//PGP key management sucks// | ||
Line 82: | Line 82: | ||
>Most of these issues are //not// exploitable unless you use PGP in a non-standard way, e.g., for [[http:// | >Most of these issues are //not// exploitable unless you use PGP in a non-standard way, e.g., for [[http:// | ||
- | So which issues //are// exploitable if you use PGP in a non-standard way? We are left to guess. That allows me to simply wave away the whole thing by claiming that //none// of the issues are exploitable, | + | So which issues //are// exploitable if you use PGP in a non-standard way? How non-standard are we talking here? Obviously anything can be misused if you work at it hard enough. |
The now dead link suggests that the instant messaging system example is XMPP. Off the top of my head, there is nothing in the ways that PGP is currently used over XMPP that would make any of the listed attacks work. | The now dead link suggests that the instant messaging system example is XMPP. Off the top of my head, there is nothing in the ways that PGP is currently used over XMPP that would make any of the listed attacks work. |
pgpfan/wtmwp.txt · Last modified: 2022/01/28 17:48 by b.walzer