On Fri, Aug 12, 2016 at 12:32:34PM +0100, Ian Jackson wrote:
> Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > I'd suggest moving directly to full fingerprints; from elsewhere in this
> > thread, it sounds like
On Fri, 12 Aug 2016, Ian Jackson wrote:
> Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > I'd suggest moving directly to full fingerprints; from elsewhere in this
> > thread, it sounds like the current versio
Josh Triplett writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> I'd suggest moving directly to full fingerprints; from elsewhere in this
> thread, it sounds like the current version of gnupg has done so.
What should we do for users of je
Samuel Thibault wrote:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now as evil32 seems to show, a supercomput
Hi,
Quoting Paul Wise (2016-08-10 17:32:15)
> On Wed, Aug 10, 2016 at 6:09 PM, Jakub Wilk wrote:
> > (And there's probably more that this simplistic search doesn't catch...)
>
> apt-key usage for instance:
>
> https://codesearch.debian.net/search?q=\bapt-key\b.*--recv%28-keys%3F%29%3F\s%2B%280x%
Gunnar Wolf dijo [Wed, Aug 10, 2016 at 02:08:12PM -0500]:
> That's the reason why a key by itself means little, but we do place
> value on the web of trust around it.
> (...blah...)
Anyway, I managed to twist my mail with many facts and make it into a
long mess :) That was my main point. Nobody sh
Samuel Thibault dijo [Wed, Aug 10, 2016 at 02:03:33PM +0200]:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now
Ian Jackson, on Wed 10 Aug 2016 19:06:28 +0100, wrote:
> Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> > > Did you miss that paragraph the first t
Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> > Did you miss that paragraph the first two times (in which case I guess
> > me repeating it was useful) ?
>
Ian Jackson, on Wed 10 Aug 2016 18:56:52 +0100, wrote:
> Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> > > I don't know what side of this (
Samuel Thibault writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> > I don't know what side of this (one) line such a proposed gpg change
> > falls. I still think it's uns
On Wed, Aug 10, 2016 at 6:09 PM, Jakub Wilk wrote:
> (And there's probably more that this simplistic search doesn't catch...)
apt-key usage for instance:
https://codesearch.debian.net/search?q=\bapt-key\b.*--recv%28-keys%3F%29%3F\s%2B%280x%29%3F[0-9a-fA-F]{8}\b
--
bye,
pabs
https://wiki.debia
On 10/08/16 15:19, Samuel Thibault wrote:
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
>> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
>> collisions in the wild"):
>>> [explanation]
>>
>> Thanks.
>>
g keyid-format in gpg.conf (Re: Key
>>>> collisions in the wild"):
>>>>> [explanation]
>>>>
>>>> Thanks.
>>>>
>>>> I don't know what side of this (one) line such a proposed gpg change
>>>> falls. I still
Christian Seiler, on Wed 10 Aug 2016 15:37:43 +0200, wrote:
> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> > Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> >> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
> >> collisions i
Christian Seiler writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> > Well, I'd argue that 64bit IDs are not safe either, they have not been
> > made to be.
>
> Can we even c
On 08/10/2016 03:19 PM, Samuel Thibault wrote:
> Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
>> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
>> collisions in the wild"):
>>> [explanation]
>>
>> Thanks.
>>
Ian Jackson, on Wed 10 Aug 2016 13:45:05 +0100, wrote:
> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
> collisions in the wild"):
> > [explanation]
>
> Thanks.
>
> I don't know what side of this (one) line such a proposed
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> [explanation]
Thanks.
I don't know what side of this (one) line such a proposed gpg change
falls. I still think it's unsatisfactory that our stable release has
a default
On 2016-08-10 12:55, Ian Jackson wrote:
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re:
Key collisions in the wild"):
On 2016-08-10 11:39, Ian Jackson wrote:
> It would be much better to put out a stable release update to change
> the default. (Probabl
Samuel Thibault, on Wed 10 Aug 2016 12:46:07 +0200, wrote:
> Holger Levsen, on Wed 10 Aug 2016 10:26:09 +, wrote:
> > I'm somewhat surprised by this mail… or rather by you appearantly
> > knowing about the issue but still you seem to not have acted as advised,
> > so let me repeat: everybody, p
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re: Key
collisions in the wild"):
> On 2016-08-10 11:39, Ian Jackson wrote:
> > It would be much better to put out a stable release update to change
> > the default. (Probably not a security update because o
On 2016-08-10 11:39, Ian Jackson wrote:
It would be much better to put out a stable release update to change
the default. (Probably not a security update because of the risk of
causing currently-vulnerable scripts to become nonfunctional, which is
not something we normally do in security updates
On Wed, 10 Aug 2016 10:26:09 +, Holger Levsen wrote:
> Hi Samuel,
>
> On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote:
>> As a late follow-up of the gpg key collision thread from debian-private
>> (but posted on debian-devel, there is nothing private here, I prefer to
>> see t
On Wed, 2016-08-10 at 12:19 +0200, Jakub Wilk wrote:
> * Samuel Thibault , 2016-08-10, 01:17:
> >
> > Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote:
> > >
> > > € gpg --search-key samuel.thiba...@gnu.org
> > > ...
> > > (1) Samuel Thibault
> > > 4096 bit RSA key 7D069EE6, created: 20
Holger Levsen, on Wed 10 Aug 2016 10:26:09 +, wrote:
> I'm somewhat surprised by this mail… or rather by you appearantly
> knowing about the issue but still you seem to not have acted as advised,
> so let me repeat: everybody, please put "keyid-format long" into your
> ~/.gnupg/gpg.conf!
Well,
Sebastian Reichel, on Wed 10 Aug 2016 07:14:09 +0200, wrote:
> On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote:
> > As a late follow-up of the gpg key collision thread from debian-private
> > (but posted on debian-devel, there is nothing private here, I prefer to
> > see this inform
On Wed, Aug 10, 2016 at 12:09:40PM +0200, Jakub Wilk wrote:
> https://codesearch.debian.net/search?q=%5Cbgpg2%3F%5Cb.*--recv%28-keys%3F%29%3F%5Cs%2B%280x%29%3F%5B0-9a-fA-F%5D%7B8%7D%5Cb
> (And there's probably more that this simplistic search doesn't catch...)
thanks for that, I just fixed the si
Holger Levsen writes ("use long keyid-format in gpg.conf (Re: Key collisions in
the wild"):
> I'm somewhat surprised by this mail… or rather by you appearantly
> knowing about the issue but still you seem to not have acted as advised,
> so let me repeat: everybody, pleas
Hi Samuel,
On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote:
> As a late follow-up of the gpg key collision thread from debian-private
> (but posted on debian-devel, there is nothing private here, I prefer to
> see this information publicized actually):
>
> € gpg --search-key samue
* Samuel Thibault , 2016-08-10, 01:17:
Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote:
€ gpg --search-key samuel.thiba...@gnu.org
...
(1) Samuel Thibault
4096 bit RSA key 7D069EE6, created: 2014-06-16
And it has 55 signatures from 55 colliding keys...
The forger botched it up, be
https://codesearch.debian.net/search?q=%5Cbgpg2%3F%5Cb.*--recv%28-keys%3F%29%3F%5Cs%2B%280x%29%3F%5B0-9a-fA-F%5D%7B8%7D%5Cb
(And there's probably more that this simplistic search doesn't catch...)
Any volunteers to file bugs?
--
Jakub Wilk
Hi,
On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote:
> As a late follow-up of the gpg key collision thread from debian-private
> (but posted on debian-devel, there is nothing private here, I prefer to
> see this information publicized actually):
>
> € gpg --search-key samuel.thiba
Thanks Samuel,
Looks like my key has been purposefully collided too, already two years ago:
thibaut$ LANG=C gpg --search-key thib...@debian.org
gpg: searching for "thib...@debian.org" from hkp server pgp.mit.edu
[snip]
(2) Thibaut Paumard
4096 bit RSA key E0DC2840, created: 2014-06
Le 10/08/2016 01:23, Thibaut Paumard a écrit :
> Thanks Samuel,
>
> Looks like my key has been purposefully collided too, already two years ago:
>
> thibaut$ LANG=C gpg --search-key thib...@debian.org
> gpg: searching for "thib...@debian.org" from hkp server pgp.mit.edu
> [snip]
> (2) Thibaut P
Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote:
> € gpg --search-key samuel.thiba...@gnu.org
> ...
> (1) Samuel Thibault
> 4096 bit RSA key 7D069EE6, created: 2014-06-16
And it has 55 signatures from 55 colliding keys...
Samuel
Hello,
As a late follow-up of the gpg key collision thread from debian-private
(but posted on debian-devel, there is nothing private here, I prefer to
see this information publicized actually):
€ gpg --search-key samuel.thiba...@gnu.org
...
(1) Samuel Thibault
4096 bit RSA key 7D069EE6, created:
37 matches
Mail list logo
