| 1 |
On 1/2/12 6:17 PM, Michał Górny wrote: |
| 2 |
> Insecure to what? |
| 3 |
|
| 4 |
It's easy to confuse keys that way. I'm not saying that it results in an |
| 5 |
immediate compromise or that it's urgent, but if we can make it harder |
| 6 |
to confuse keys, why not do that? |
| 7 |
|
| 8 |
> The trust model of PGP is not based on key |
| 9 |
> IDs. The short IDs are only used to let users grab our keys at will; |
| 10 |
> and as the blog post shows, GPG handles repeating key IDs just fine. |
| 11 |
|
| 12 |
Do all developer keys have at least one signature of some other key? In |
| 13 |
the absence of signatures (and how does the user verify that those have |
| 14 |
been made by developers?), what users have is our list of short key IDs. |
Archives