Updated OpenPGP Security (markdown)
parent
f5e7a7b0ba
commit
465cef641c
|
@ -57,24 +57,9 @@ TODO: Yes we must do this. Important TODO
|
||||||
#### Support for Image Attribute Subpacket?
|
#### Support for Image Attribute Subpacket?
|
||||||
No, in about 99% of all use cases there are better photos to be found in Android's contact database.
|
No, in about 99% of all use cases there are better photos to be found in Android's contact database.
|
||||||
|
|
||||||
### Thesis
|
## Fingerprints and key IDs
|
||||||
* OpenPGP is over-engineered
|
* In most places key IDs are useless!
|
||||||
* Web of Trust has failed
|
* https://www.debian-administration.org/users/dkg/weblog/105
|
||||||
* nobody understands tsigs
|
|
||||||
* nobody understands different trust levels
|
|
||||||
|
|
||||||
### Solution
|
|
||||||
* Identities **are** certified or **not**
|
|
||||||
* Alternately, trust is probabilistic. Keys have associated metadata which a potential user may examine to help in deciding whether to use them. Web-of-trust and Keybase-style "proof" data could be included here, and it seems likely that other flavors of such metadata are likely to arrive.
|
|
||||||
* Hide Web-of-Trust
|
|
||||||
|
|
||||||
|
|
||||||
# Fingerprints and key IDs
|
|
||||||
* Don't prefix "0x", average users do not understand this
|
|
||||||
* handle key IDs like telephone numers
|
|
||||||
* no monospace for key IDs (do you use monospace on telephone numbers? no)
|
|
||||||
* Key IDs lower case to better differentiate numbers and letters
|
|
||||||
* Don't show key ids? (https://www.debian-administration.org/users/dkg/weblog/105)
|
|
||||||
|
|
||||||
# Key creation
|
# Key creation
|
||||||
|
|
||||||
|
@ -86,6 +71,17 @@ See https://www.debian-administration.org/users/dkg/weblog/97
|
||||||
* ["How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation."](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf)
|
* ["How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation."](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf)
|
||||||
* "Does my password go up to eleven?: the impact of password meters on password selection"
|
* "Does my password go up to eleven?: the impact of password meters on password selection"
|
||||||
|
|
||||||
|
### Web of Trust
|
||||||
|
* OpenPGP is over-engineered
|
||||||
|
* Web of Trust has failed
|
||||||
|
* nobody understands tsigs
|
||||||
|
* nobody understands different trust levels
|
||||||
|
|
||||||
|
### Solution
|
||||||
|
* Identities **are** certified or **not**
|
||||||
|
* Alternately, trust is probabilistic. Keys have associated metadata which a potential user may examine to help in deciding whether to use them. Web-of-trust and Keybase-style "proof" data could be included here, and it seems likely that other flavors of such metadata are likely to arrive.
|
||||||
|
* Hide Web-of-Trust
|
||||||
|
|
||||||
|
|
||||||
### Relevant links
|
### Relevant links
|
||||||
* https://gist.github.com/coruus/68a8c65571e2b4225a69
|
* https://gist.github.com/coruus/68a8c65571e2b4225a69
|
||||||
|
|
Loading…
Reference in New Issue