Updated OpenPGP Security (markdown)

Dominik Schürmann 2015-03-15 15:36:35 +01:00
parent 492e266450
commit 338fe28b81
1 changed files with 30 additions and 0 deletions

@ -57,6 +57,36 @@ TODO: Yes we must do this. Important TODO
#### Support for Image Attribute Subpacket?
No, in about 99% of all use cases there are better photos to be found in Android's contact database.
### Thesis
* OpenPGP is over-engineered
* Web of Trust has failed
* nobody understands tsigs
* nobody understands different trust levels
### Solution
* Identities **are** certified or **not**
* Alternately, trust is probabilistic. Keys have associated metadata which a potential user may examine to help in deciding whether to use them. Web-of-trust and Keybase-style "proof" data could be included here, and it seems likely that other flavors of such metadata are likely to arrive.
* Hide Web-of-Trust
# Fingerprints and key IDs
* Don't prefix "0x", average users do not understand this
* handle key IDs like telephone numers
* no monospace for key IDs (do you use monospace on telephone numbers? no)
* Key IDs lower case to better differentiate numbers and letters
* Don't show key ids? (https://www.debian-administration.org/users/dkg/weblog/105)
# Key creation
## User ID comments
Considered harmful, so only in advanced key edit.
See https://www.debian-administration.org/users/dkg/weblog/97
## Password meters
* ["How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation."](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf)
* "Does my password go up to eleven?: the impact of password meters on password selection"
### Relevant links
* https://gist.github.com/coruus/68a8c65571e2b4225a69
* https://help.riseup.net/en/security/message-security/openpgp/best-practices