How to make wise use of public key cryptography

The correct usage of GnuPG (public key cryptography) is to offer a download link of your public key in every channel you communicate and also include your full fingerprint on your business card. It doesn't make sense in this combination to distribute either your key ID or your fingerprints electronically, because it opens up all kinds of bad practices involving trusting the unverified and confusion.

Key servers and the web of trust itself erodes your privacy as your social relationships are publicly revealed, and your e-mail address is also opened up for easy spamming. However, a key server does make initial contact easier if you forgot to provide a link on the business card and it also enables key updates if you do use the web of trust by mutual key signing. No single solution is perfect for everybody.

Note that both the PGP protocol and GnuPG internally reference a so-called 64-bit long key ID, however many tutorials erroneously use only the short key ID instead. Also note that a given short and long key ID is usually the last 8 or 16 characters of the respective fingerprint.

gpg --list-keys --with-colon
gpg --fingerprint
...

"Using modern GPUs, we have found collisions for every 32bit key id in the WOT's (Web of Trust) strong set. Although this does not break GPG's encryption, it further erodes the usability of GPG and increases the chance of human error." - https://evil32.com/

Comments

Popular posts from this blog

Hidden TFTP of TP-Link routers

Tftp secret of TL-WR740N uncovered

When both Google *and* AppStatus is down