On Tue, 27 Oct 2020 at 02:48PM -0400, TRS-80 wrote: > I then mention in passing (yesterday) that I have been considering > pass[1], as it is essentially free-form text files with no limits on > what you can put in them, in case anyone else following the issue > wants to expand their options, as I have been thinking about doing. > > Pretty quickly thereafter, both of main devs reply[2] with some > criticisms of PGP, gpg-agent, and some other concept (KDF?)
A KDF is a key-derivation function i.e., a function that allows to generate a cryptographic key based on a passphrase (more from Wikipedia https://en.wikipedia.org/wiki/Key_derivation_function ). Why it is relevant to their rant against GPG, I don't know. Maybe their argument is that if you chose a weak passphrase for your secret key, your secret key is protected by a weak passphrase? That's no news. Maybe a KDF would make the secret key a bit better protected than without a KDF? Again, I don't know enough cryptography to answer that (but I will make the educated guess that the argument is that the KDF is designed to be a slow algorithm, and therefore unpractical to use in brute-force attacks). My counter-argument is to use a password with enough entropy to be actually safe instead of relying on the fact that a given algorithm implementation (the KDF) is slow today. We'll all be sorry anyway once quantum computers become available :) > which I am not actually even familiar with. The following are their > comments, which I quote in full: > > > droidmonkey > > > > Pass offers the barest minimal protections. I would never endorse > > the product because it is very easy to expose all of your secrets to > > any program by using gpg-agent to remember your credentials. There > > is also no concept of a KDF so brute forcing is an option, in fact > > their encryption method is undocumented or at least not readily > > apparent from their website. So if you use gpg-agent, your secret key is not safe? Well yes, that's true, the whole purpose of the agent is to trade a bit of security for a bit of convenience. If that's the worry, don't use gpg-agent and that's it. Regarding “their encryption method is undocumented”, who is “they” in that sentence? GPG? Pass? Me? That kind of FUD is not constructive, I'm afraid. But as a general rule, you should know what you are doing and the consequences of your choices (which admittedly is not easy on modern computer systems), and before starting to use pass, you must be aware that it is not a consumer product (it's a command-line tool, for starters :) ), so some understanding of how it works is required IMO. Matthieu -- (~._.~) Matthieu Weber - [email protected] (~._.~) ( ? ) https://weber.fi.eu.org/ ( ? ) ()- -() public key id : 0x85CB340EFCD5E0B3 ()- -() (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
signature.asc
Description: PGP signature
