I noticed that ~/.password-store/.gpg-id uses short key IDs, for which collisions can easily be found (see [1] [2] [3]).
Is this a problem for pass? Especially, assume that I have 2 keys in my keyring, one mine and one that was constructed by an attacker to have the same short ID, is it possible that pass will encrypt my passwords for the other person's key? Thank you! [1] http://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i [2] http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html [3] https://help.riseup.net/en/gpg-best-practices#dont-rely-on-the-key-id _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
