On Fri, Aug 12, 2016 at 12:32:34PM +0100, Ian Jackson wrote:
> Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > I'd suggest moving directly to full fingerprints; from elsewhere in this
> > thread, it sounds like
On Fri, 12 Aug 2016, Ian Jackson wrote:
> Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > I'd suggest moving directly to full fingerprints; from elsewhere in this
> > thread, it sounds like the current versio
Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> I'd suggest moving directly to full fingerprints; from elsewhere in this
> thread, it sounds like the current version of gnupg has done so.
What should we do for users of je
Samuel Thibault wrote:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now as evil32 seems to show, a supercomput
Gunnar Wolf dijo [Wed, Aug 10, 2016 at 02:08:12PM -0500]:
> That's the reason why a key by itself means little, but we do place
> value on the web of trust around it.
> (...blah...)
Anyway, I managed to twist my mail with many facts and make it into a
long mess :) That was my main point. Nobody sh
Samuel Thibault dijo [Wed, Aug 10, 2016 at 02:03:33PM +0200]:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now
Ian Jackson, on Wed 10 Aug 2016 19:06:28 +0100, wrote:
> Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> > > Did you miss that paragraph the first t
Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> > Did you miss that paragraph the first two times (in which case I guess
> > me repeating it was useful) ?
>
Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> > > I don't know what side of this (
Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> > I don't know what side of this (one) line such a proposed gpg change
> > falls. I still think it's uns
On 10/08/16 15:19, Samuel Thibault wrote:
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
>> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
>> collisions in the wild"):
>>> [explanation]
>>
>> Thanks.
>>
On 08/10/2016 03:44 PM, Samuel Thibault wrote:
> Christian Seiler, on Wed 10 Aug 2016 15:37:43 +0200, wrote:
>> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
>>> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
>>>> Adam D. Barratt writes ("Re: use lon
Christian Seiler, on Wed 10 Aug 2016 15:37:43 +0200, wrote:
> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> > Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> >> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
> >> collisions i
Christian Seiler writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> > Well, I'd argue that 64bit IDs are not safe either, they have not been
> > made to be.
>
> Can we even c
On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
>> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
>> collisions in the wild"):
>>> [explanation]
>>
>> Thanks.
>>
Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > [explanation]
>
> Thanks.
>
> I don't know what side of this (one) line such a proposed
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> [explanation]
Thanks.
I don't know what side of this (one) line such a proposed gpg change
falls. I still think it's unsatisfactory that our stable release has
a default
On 2016-08-10 12:55, Ian Jackson wrote:
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re:
Key collisions in the wild"):
On 2016-08-10 11:39, Ian Jackson wrote:
> It would be much better to put out a stable release update to change
> the default. (Probabl
Samuel Thibault, on Wed 10 Aug 2016 12:46:07 +0200, wrote:
> Holger Levsen, on Wed 10 Aug 2016 10:26:09 +, wrote:
> > I'm somewhat surprised by this mail… or rather by you appearantly
> > knowing about the issue but still you seem to not have acted as advised,
> > so let me repeat: everybody, p
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> On 2016-08-10 11:39, Ian Jackson wrote:
> > It would be much better to put out a stable release update to change
> > the default. (Probably not a security update because o
On 2016-08-10 11:39, Ian Jackson wrote:
It would be much better to put out a stable release update to change
the default. (Probably not a security update because of the risk of
causing currently-vulnerable scripts to become nonfunctional, which is
not something we normally do in security updates
On Wed, 10 Aug 2016 10:26:09 +, Holger Levsen wrote:
> Hi Samuel,
>
> On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote:
>> As a late follow-up of the gpg key collision thread from debian-private
>> (but posted on debian-devel, there is nothing private here, I prefer to
>> see t
Holger Levsen, on Wed 10 Aug 2016 10:26:09 +, wrote:
> I'm somewhat surprised by this mail… or rather by you appearantly
> knowing about the issue but still you seem to not have acted as advised,
> so let me repeat: everybody, please put "keyid-format long" into your
> ~/.gnupg/gpg.conf!
Well,
23 matches
Mail list logo
