On 25/02/16 19:11, Robert J. Hansen wrote: > If an attacker can control your gpg.conf file, there are so many worse > things to do that it's hard for me to take this seriously.
I never, ever, once, argued the opposite. I sure hope you're not implying I am, or that Kristian is. If you recall, I talked about public keys being attached to e-mail messages, adding as a mitigating factor that your own key would probably be earlier on the keyring. By now, we can add the mitigating factor that GnuPG will bork on the key import. Plus, as was already established, the rather major fact that as far as we know, nobody has pulled off a second-preimage attack against a long keyID. But take things as seriously as you see fit. As I indicated, this is more of the variety of "what is prudence in user education", not "oh my God they are H4xx0rzing our keez". Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
