[Tickets #12099] Re: create gpg keys for the 21th century

noreply at bugs.horde.org noreply at bugs.horde.org
Mon Mar 18 11:25:04 UTC 2013


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12099
------------------------------------------------------------------------------
  Ticket             | 12099
  Updated By         | o+horde at immerda.ch
  Summary            | create gpg keys for the 21th century
  Queue              | Horde Base
  Version            | Git master
  Type               | Bug
  State              | Feedback
  Priority           | 2. Medium
  Milestone          |
  Patch              | 1
  Owners             | Michael Slusarz
------------------------------------------------------------------------------


o+horde at immerda.ch (2013-03-18 11:25) wrote:

> IMHO the length of the key is the least of your worries here.
>
> Unless you have ultimate trust in the person who is administrating  
> the webserver (ie, *you* are the one in charge), there is no  
> guarantee that nobody has access to your private key. As an  
> administrator it would be trivial to log the passwords of private  
> keys (if any) and the keys themselves are also present.
>
> If confidentiality is really an issue, you shouldn't be using PGP  
> (or S/MIME) in Horde in the first place.

so your argument is like, why do you lock the door, the janitor has a  
key anyway...

i mean its all a question of your threat model and i agree that using  
pgp in horde is considerably less secure (as in applies to a weaker  
threat model) as using it locally, but that doesn't mean that you  
should just not care about the key.

if this does not convince you, why we should increase keylength, look  
up forward secrecy.





More information about the bugs mailing list