1 |
On Mon, 02 Jan 2012 15:47:23 +0100 |
2 |
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote: |
3 |
|
4 |
> You've probably read (or should) |
5 |
> <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html> |
6 |
> which describes why using short gpg key ids is insecure. |
7 |
|
8 |
Insecure to what? In the same manner, you can say that using your first |
9 |
and surname is insecure. |
10 |
|
11 |
> What do you think? Should I file a bug to convert e.g. |
12 |
> http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we |
13 |
> only have short key IDs in LDAP, which would require everyone to |
14 |
> submit the full ID? |
15 |
|
16 |
There's no reason to panic. The trust model of PGP is not based on key |
17 |
IDs. The short IDs are only used to let users grab our keys at will; |
18 |
and as the blog post shows, GPG handles repeating key IDs just fine. |
19 |
I think we can afford that one a million times users will download one |
20 |
additional key. |
21 |
|
22 |
-- |
23 |
Best regards, |
24 |
Michał Górny |