Gentoo Archives: gentoo-project

From: "Paweł Hajdan
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure
Date: Thu, 05 Jan 2012 17:58:10
Message-Id: 4F05E48F.3040802@gentoo.org
In Reply to: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure by "Michał Górny"
On 1/2/12 6:17 PM, Michał Górny wrote:
> Insecure to what?
It's easy to confuse keys that way. I'm not saying that it results in an immediate compromise or that it's urgent, but if we can make it harder to confuse keys, why not do that?
> The trust model of PGP is not based on key > IDs. The short IDs are only used to let users grab our keys at will; > and as the blog post shows, GPG handles repeating key IDs just fine.
Do all developer keys have at least one signature of some other key? In the absence of signatures (and how does the user verify that those have been made by developers?), what users have is our list of short key IDs.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies