On Wed, Feb 12, 2020 at 11:14:32PM +0100, Björn Persson wrote:
Kevin Fenzi wrote:
> well, they are already pretty bad because fas just stores the short
> version, which has been subject to duplicates for... years now?
My FAS account shows a 64-bit key ID. Yours shows 32 bits. I guess it
displays what you give it. As far as I have heard only 32-bit key IDs
have been duplicated.
It would be better if the user interface didn't require users to know
such details.
Yeah, we may have added a change to let you specify the longer one at
some point. Not sure.
> Not sure what best to do here. I fear gpg is pretty much a failure these
> days and we need something better, but I am not sure what that is.
I think GnuPG is best thought of as a building block, essentially a
library that programs can use for their encryption and authentication
needs. It works well when used that way, for example by RPM/Yum. Viewed
as a tool, it's only usable to crypto nerds.
Agreed.
The "web of trust" is clearly not working. In the more than
21 years
I've had PGP keys I have never once been able to validate a key through
a chain of signatures. The attack on SKS is another nail in its coffin.
Another certification method is needed, and WKD is one candidate.
well, WKD just replaces the 'web of trust' part, the rest of gpg/pgp is
still there: horrible setup, poor docs, configuration thats a nightmare,
etc.
Sadly, I don't know what the answer is, but getting more than just nerds
using gpg is not going to happen. ;(
kevin