Kevin Fenzi wrote:
well, they are already pretty bad because fas just stores the short
version, which has been subject to duplicates for... years now?
My FAS account shows a 64-bit key ID. Yours shows 32 bits. I guess it
displays what you give it. As far as I have heard only 32-bit key IDs
have been duplicated.
It would be better if the user interface didn't require users to know
such details.
Not sure what best to do here. I fear gpg is pretty much a failure
these
days and we need something better, but I am not sure what that is.
I think GnuPG is best thought of as a building block, essentially a
library that programs can use for their encryption and authentication
needs. It works well when used that way, for example by RPM/Yum. Viewed
as a tool, it's only usable to crypto nerds.
The "web of trust" is clearly not working. In the more than 21 years
I've had PGP keys I have never once been able to validate a key through
a chain of signatures. The attack on SKS is another nail in its coffin.
Another certification method is needed, and WKD is one candidate.
Björn Persson