Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-project
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-project@g.o
From: Michał Górny <mgorny@g.o>
Subject: Re: let's stop using short gpg key ids, that's insecure
Date: Mon, 2 Jan 2012 18:17:52 +0100
On Mon, 02 Jan 2012 15:47:23 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote:

> You've probably read (or should)
> <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
> which describes why using short gpg key ids is insecure.

Insecure to what? In the same manner, you can say that using your first
and surname is insecure.

> What do you think? Should I file a bug to convert e.g.
> http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
> only have short key IDs in LDAP, which would require everyone to
> submit the full ID?

There's no reason to panic. The trust model of PGP is not based on key
IDs. The short IDs are only used to let users grab our keys at will;
and as the blog post shows, GPG handles repeating key IDs just fine.
I think we can afford that one a million times users will download one
additional key.

-- 
Best regards,
Michał Górny
Attachment:
signature.asc (PGP signature)
Replies:
Re: let's stop using short gpg key ids, that's insecure
-- Paweł Hajdan, Jr.
References:
let's stop using short gpg key ids, that's insecure
-- Paweł Hajdan, Jr.
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: let's stop using short gpg key ids, that's insecure
Next by thread:
Re: let's stop using short gpg key ids, that's insecure
Previous by date:
Re: let's stop using short gpg key ids, that's insecure
Next by date:
Council meeting: Tuesday 10th January 2012, 20:00 UTC


Updated Jul 05, 2012

Summary: Archive of the gentoo-project mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.