Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project@l.g.o
Cc: phajdan.jr@g.o
Subject: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure
Date: Mon, 02 Jan 2012 17:17:18
Message-Id: 20120102181752.27c70a7f@pomiocik.lan
In Reply to: [gentoo-project] let's stop using short gpg key ids, that's insecure by "Paweł Hajdan
1 On Mon, 02 Jan 2012 15:47:23 +0100
2 ""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote:
3
4 > You've probably read (or should)
5 > <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
6 > which describes why using short gpg key ids is insecure.
7
8 Insecure to what? In the same manner, you can say that using your first
9 and surname is insecure.
10
11 > What do you think? Should I file a bug to convert e.g.
12 > http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
13 > only have short key IDs in LDAP, which would require everyone to
14 > submit the full ID?
15
16 There's no reason to panic. The trust model of PGP is not based on key
17 IDs. The short IDs are only used to let users grab our keys at will;
18 and as the blog post shows, GPG handles repeating key IDs just fine.
19 I think we can afford that one a million times users will download one
20 additional key.
21
22 --
23 Best regards,
24 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies