List Archive: gentoo-project
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Thu, 05 Jan 2012 18:57:35 +0100
""Paweł Hajdan, Jr."" <firstname.lastname@example.org> wrote:
> On 1/2/12 6:17 PM, Michał Górny wrote:
> > Insecure to what?
> It's easy to confuse keys that way. I'm not saying that it results in
> an immediate compromise or that it's urgent, but if we can make it
> harder to confuse keys, why not do that?
I don't say that we should or shouldn't do that. I just say that we
shouldn't say it will improve any kind of 'security'.
> > The trust model of PGP is not based on key
> > IDs. The short IDs are only used to let users grab our keys at will;
> > and as the blog post shows, GPG handles repeating key IDs just fine.
> Do all developer keys have at least one signature of some other key?
> In the absence of signatures (and how does the user verify that those
> have been made by developers?), what users have is our list of short
> key IDs.
And how can they verify that list? I don't think there's a reason to
trust it, and I don't think most of us care about it at all.