Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-project
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-project@g.o
From: Michał Górny <mgorny@g.o>
Subject: Re: let's stop using short gpg key ids, that's insecure
Date: Thu, 5 Jan 2012 19:21:55 +0100
On Thu, 05 Jan 2012 18:57:35 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote:

> On 1/2/12 6:17 PM, Michał Górny wrote:
> > Insecure to what?
> 
> It's easy to confuse keys that way. I'm not saying that it results in
> an immediate compromise or that it's urgent, but if we can make it
> harder to confuse keys, why not do that?

I don't say that we should or shouldn't do that. I just say that we
shouldn't say it will improve any kind of 'security'.

> > The trust model of PGP is not based on key
> > IDs. The short IDs are only used to let users grab our keys at will;
> > and as the blog post shows, GPG handles repeating key IDs just fine.
> 
> Do all developer keys have at least one signature of some other key?
> In the absence of signatures (and how does the user verify that those
> have been made by developers?), what users have is our list of short
> key IDs.

And how can they verify that list? I don't think there's a reason to
trust it, and I don't think most of us care about it at all.

-- 
Best regards,
Michał Górny
Attachment:
signature.asc (PGP signature)
References:
let's stop using short gpg key ids, that's insecure
-- Paweł Hajdan, Jr.
Re: let's stop using short gpg key ids, that's insecure
-- Michał Górny
Re: let's stop using short gpg key ids, that's insecure
-- Paweł Hajdan, Jr.
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: let's stop using short gpg key ids, that's insecure
Next by thread:
Council meeting: Tuesday 10th January 2012, 20:00 UTC
Previous by date:
Re: let's stop using short gpg key ids, that's insecure
Next by date:
New Developer John R. Graham


Updated Jul 05, 2012

Summary: Archive of the gentoo-project mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.