Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, 1 Mar 2024 21:56, Daniel Kahn Gillmor said: > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but Simply prefix the fingerprint with 0x and gpg will only consider fingerprints. RTFM. You know that very well given that you are the person who was so keen to be able to maintain a "curated" keyring. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, Mar 1, 2024 at 8:57 PM Daniel Kahn Gillmor via Gnupg-users wrote: > I agree with you that it's nice to refer to people by human-memorable > names. I just wish it was safe to do so. I would consider it is safe to do so. It is in fact mostly the entire purpose of GPG to identify the correct certificates to send messages for you. If PGP did not choose the certificate for you, then it would just be Openssl; I.e. it would not be useful for the very purpose of the software. > > Calling this a risky implementation choice of GnuPG is ridiculous. > Is it really ridiculous? It seems factual to me. Note that I'm not It is not factual. > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but > not a mishmash of all of the above. No.. either you trust the authenticity of the certificate, including the Email address, Name, and Full User IDs, or you don't. If you trust the certificate, then it should be safe to match it based on all the attributes. If you own a certificate that should no longer be trusted, then you should revoke it. Trust is determined based on the chain of Certificate signatures, and the contents of your Key storage indicating which certificate signers you trust. If your Public Key storage is compromised so that is configured to Trust certificates you should not, then so is that whole PGP installation. The Unsafe condition would be allowing yourself to have Public key storage containing certificates or signers you should not trust marked trusted. > > If anything then it's a risky implementation choice of pass to allow > > using anything other than a fingerprint in ~/.password-store/.gpg-id. Pass isn't part of GPG, so who knows whether what they are doing is safe or not. I would say inputting a full Key ID or e-mail address is safe enough. If your GPG Installation is so badly damaged that you have Incorrect keys marked trusted in your public key storage, then you should consider your whole software installation compromised. Software with a compromised installation (damaged binaries or config) would be inherently unsafe to use -- -J ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri 2024-03-01 17:06:09 +0100, Ingo Klöcker wrote: > On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: >> human-readable names for certificates. But i don't see how to use that >> safely while dealing with GnuPG's risky implementation choices here. > > Allowing recipients to be specified by email address (or some other > part of a user ID) was inherited from PGP. And I guess it's part of > the reason for the success of PGP (and GnuPG) that one could specify > keys of recipients by email addresses instead of by hard to remember > key IDs (when those could still be considered unique) or by impossible > to remember fingerprints (or by file name as sequoia-pgp seems to > prefer). I agree with you that it's nice to refer to people by human-memorable names. I just wish it was safe to do so. > Calling this a risky implementation choice of GnuPG is ridiculous. Is it really ridiculous? It seems factual to me. Note that I'm not saying GnuPG is the only one to make such an implementation choice, but I really do think it's risky. For example, GnuPG could instead offer an interface with explicit options to allow the user to choose to match certificates by fingerprint, or by e-mail address, or by name, or by full User ID, but not a mishmash of all of the above. > If anything then it's a risky implementation choice of pass to allow > using anything other than a fingerprint in ~/.password-store/.gpg-id. I agree, that's risky too! But as you say above (and as the message that i sent, but which doesn't appear to have been delivered to the list, also said), it's an understandable urge to want to use human-readable names. It seems totally reasonable to put my own own name there, for example! who knew that it could cause problems‽ Anyway, for `pass` to restrict the contents of .gpg-id to being a fingerprint, the GnuPG API(?) requires `pass` to know exactly how to match a fingerprint so that GnuPG also is also guaranteed to treat it as a fingerprint. If a new version of GnuPG ever accepts other forms of fingerprint, or requires a different form, then pass would need to be updated to match the new expectations. That seems clumsy, and likely to lead to upgrade friction down the line. I agree with you that these kinds of tools should let the user do the sort of things that users generally want to do. The tools should also let them do those things safely by default, and without confusion. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: > human-readable names for certificates. But i don't see how to use that > safely while dealing with GnuPG's risky implementation choices here. Allowing recipients to be specified by email address (or some other part of a user ID) was inherited from PGP. And I guess it's part of the reason for the success of PGP (and GnuPG) that one could specify keys of recipients by email addresses instead of by hard to remember key IDs (when those could still be considered unique) or by impossible to remember fingerprints (or by file name as sequoia-pgp seems to prefer). Calling this a risky implementation choice of GnuPG is ridiculous. If anything then it's a risky implementation choice of pass to allow using anything other than a fingerprint in ~/.password-store/.gpg-id. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users