Gentoo Archives: gentoo-project

From: "Paweł Hajdan
To: gentoo-project@l.g.o
Subject: [gentoo-project] let's stop using short gpg key ids, that's insecure
Date: Mon, 02 Jan 2012 14:48:03
Message-Id: 4F01C37B.6000305@gentoo.org
1 You've probably read (or should)
2 <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
3 which describes why using short gpg key ids is insecure.
4
5 Note it's about IDs, i.e. 0x30427902 vs. 0xB9442D9430427902 (it's short
6 and long ID of my current key), not the keys themselves. That means no
7 need to change keys, just change the way we display them on web pages
8 and possibly in other places.
9
10 What do you think? Should I file a bug to convert e.g.
11 http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
12 only have short key IDs in LDAP, which would require everyone to submit
13 the full ID?

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-project] let's stop using short gpg key ids, that's insecure "Chí-Thanh Christopher Nguyễn" <chithanh@g.o>
Re: [gentoo-project] let's stop using short gpg key ids, that's insecure "Michał Górny" <mgorny@g.o>