Gentoo Archives: gentoo-project

From: "Paweł Hajdan
To: gentoo-project@l.g.o
Subject: [gentoo-project] let's stop using short gpg key ids, that's insecure
Date: Mon, 02 Jan 2012 14:48:03
Message-Id: 4F01C37B.6000305@gentoo.org
You've probably read (or should)
<http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
which describes why using short gpg key ids is insecure.

Note it's about IDs, i.e. 0x30427902 vs. 0xB9442D9430427902 (it's short
and long ID of my current key), not the keys themselves. That means no
need to change keys, just change the way we display them on web pages
and possibly in other places.

What do you think? Should I file a bug to convert e.g.
http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
only have short key IDs in LDAP, which would require everyone to submit
the full ID?

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-project] let's stop using short gpg key ids, that's insecure "Michał Górny" <mgorny@g.o>
Re: [gentoo-project] let's stop using short gpg key ids, that's insecure "Chí-Thanh Christopher Nguyễn" <chithanh@g.o>