Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Mon, 02 Jan 2012 15:47:23 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote:
> You've probably read (or should)
> <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
> which describes why using short gpg key ids is insecure.
Insecure to what? In the same manner, you can say that using your first
and surname is insecure.
> What do you think? Should I file a bug to convert e.g.
> http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
> only have short key IDs in LDAP, which would require everyone to
> submit the full ID?
There's no reason to panic. The trust model of PGP is not based on key
IDs. The short IDs are only used to let users grab our keys at will;
and as the blog post shows, GPG handles repeating key IDs just fine.
I think we can afford that one a million times users will download one
additional key.
--
Best regards,
Michał Górny
|
|
