1 |
On 1/2/12 6:17 PM, Michał Górny wrote: |
2 |
> Insecure to what? |
3 |
|
4 |
It's easy to confuse keys that way. I'm not saying that it results in an |
5 |
immediate compromise or that it's urgent, but if we can make it harder |
6 |
to confuse keys, why not do that? |
7 |
|
8 |
> The trust model of PGP is not based on key |
9 |
> IDs. The short IDs are only used to let users grab our keys at will; |
10 |
> and as the blog post shows, GPG handles repeating key IDs just fine. |
11 |
|
12 |
Do all developer keys have at least one signature of some other key? In |
13 |
the absence of signatures (and how does the user verify that those have |
14 |
been made by developers?), what users have is our list of short key IDs. |