[pass] Short PGP IDs in pass
Niklas Hambüchen
mail at nh2.me
Fri Feb 5 17:00:29 CET 2016
I noticed that ~/.password-store/.gpg-id uses short key IDs, for which
collisions can easily be found (see [1] [2] [3]).
Is this a problem for pass? Especially, assume that I have 2 keys in my
keyring, one mine and one that was constructed by an attacker to have
the same short ID, is it possible that pass will encrypt my passwords
for the other person's key?
Thank you!
[1]
http://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i
[2] http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
[3] https://help.riseup.net/en/gpg-best-practices#dont-rely-on-the-key-id
More information about the Password-Store
mailing list