On Wed, 17 Aug 2016 16:29, kristian.fiskerstr...@sumptuouscapital.com said:
> I'm not sure I like this, it avoids the actual issue of people using > non-verified keys (and verification would be using fingerprint to begin > with, although I might read it without the proper context in this email) Displaying the long keyid has been suggested for 10 years but you are fully right, it does not help. I just put this into the 1.4 README NEVER use the keyid to verify a key - always use the complete fingerprint. The keyid is just a convenience handle to identify a key by a short semi-unique name which is trivial to spoof. You may want to put the line "keyid-format long" into your gpg.conf to tell gpg to print the long keyid (which is still spoof-able). FWIW, I really wonder why people seem to use the keyid to check keys. Most of us have been in key signing parties and learned that one needs to mumble the _fingerprint_. Some oldtimers still have the habit of also comparing the keyid and the creation date, but that was only helpful in PGP-2 times to mitigate a problem in the PGP-2 key format. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* Join us at OpenPGP.conf <https://openpgp-conf.org> */ _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users