Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-project
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-project@g.o
From: "Paweł Hajdan, Jr." <phajdan.jr@g.o>
Subject: Re: let's stop using short gpg key ids, that's insecure
Date: Thu, 05 Jan 2012 18:57:35 +0100
On 1/2/12 6:17 PM, Michał Górny wrote:
> Insecure to what?

It's easy to confuse keys that way. I'm not saying that it results in an
immediate compromise or that it's urgent, but if we can make it harder
to confuse keys, why not do that?

> The trust model of PGP is not based on key
> IDs. The short IDs are only used to let users grab our keys at will;
> and as the blog post shows, GPG handles repeating key IDs just fine.

Do all developer keys have at least one signature of some other key? In
the absence of signatures (and how does the user verify that those have
been made by developers?), what users have is our list of short key IDs.

Attachment:
signature.asc (OpenPGP digital signature)
Replies:
Re: let's stop using short gpg key ids, that's insecure
-- Michał Górny
References:
let's stop using short gpg key ids, that's insecure
-- Paweł Hajdan, Jr.
Re: let's stop using short gpg key ids, that's insecure
-- Michał Górny
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: let's stop using short gpg key ids, that's insecure
Next by thread:
Re: let's stop using short gpg key ids, that's insecure
Previous by date:
New Developer: Sean "ackle" Amoss
Next by date:
Re: let's stop using short gpg key ids, that's insecure


Updated Jun 18, 2012

Summary: Archive of the gentoo-project mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.