Updated OpenPGP Security (markdown)
parent
492e266450
commit
338fe28b81
|
@ -57,6 +57,36 @@ TODO: Yes we must do this. Important TODO
|
|||
#### Support for Image Attribute Subpacket?
|
||||
No, in about 99% of all use cases there are better photos to be found in Android's contact database.
|
||||
|
||||
### Thesis
|
||||
* OpenPGP is over-engineered
|
||||
* Web of Trust has failed
|
||||
* nobody understands tsigs
|
||||
* nobody understands different trust levels
|
||||
|
||||
### Solution
|
||||
* Identities **are** certified or **not**
|
||||
* Alternately, trust is probabilistic. Keys have associated metadata which a potential user may examine to help in deciding whether to use them. Web-of-trust and Keybase-style "proof" data could be included here, and it seems likely that other flavors of such metadata are likely to arrive.
|
||||
* Hide Web-of-Trust
|
||||
|
||||
|
||||
# Fingerprints and key IDs
|
||||
* Don't prefix "0x", average users do not understand this
|
||||
* handle key IDs like telephone numers
|
||||
* no monospace for key IDs (do you use monospace on telephone numbers? no)
|
||||
* Key IDs lower case to better differentiate numbers and letters
|
||||
* Don't show key ids? (https://www.debian-administration.org/users/dkg/weblog/105)
|
||||
|
||||
# Key creation
|
||||
|
||||
## User ID comments
|
||||
Considered harmful, so only in advanced key edit.
|
||||
See https://www.debian-administration.org/users/dkg/weblog/97
|
||||
|
||||
## Password meters
|
||||
* ["How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation."](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf)
|
||||
* "Does my password go up to eleven?: the impact of password meters on password selection"
|
||||
|
||||
|
||||
### Relevant links
|
||||
* https://gist.github.com/coruus/68a8c65571e2b4225a69
|
||||
* https://help.riseup.net/en/security/message-security/openpgp/best-practices
|
||||
|
|
Loading…
Reference in New Issue