On 06/04/2016 12:43 AM, Gunnar Wolf wrote: > There are several tools relying on this (now very) weak 32-bit scheme; > the first such tool we found was precisely the «PGP pathfinder & key > statistics» service, which fails badly: Even specifying the full > fingerprints, I do get three (absolutely fake!) trust path into the > impostor:
I'd like to take a bit of time to comment on this. The web of trust in the abstract is all nice, but ultimately services such as the pathfinder is only a tool to guide in how you can find a direct path. It is not a replacement for actually properly configuring the trustdb and doing (local) signatures of external keys that are to be used in the validity calculation. So I fail to see an issue in this case, really, a simple tool can be fooled, but the underlying model is sound. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP certificate at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "We can only see a short distance ahead, but we can see plenty there that needs to be done." (Alan Turing)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
