| 1 |
On Wed, Oct 17, 2012 at 08:53:14AM +0800, Ben de Groot wrote: |
| 2 |
> > Additionally, while we are NOT enforcing the use of long key-ids |
| 3 |
> > presently, I strongly encourage ALL developers to move to using them, |
| 4 |
> > due to known attacks against short ids: |
| 5 |
> > http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html |
| 6 |
> > Long key-ids are the 16/24/32 hexdigit long versions of your key ids. |
| 7 |
> Why not enforce best practices and only accept the above long key-ids? |
| 8 |
Depending on the age of your key, this is not practical to check |
| 9 |
quickly. It would require a call out to gpg to expand a given ID, and |
| 10 |
see if it actually expands or is already expanded. That's actually why |
| 11 |
the length check is so complicated. |
| 12 |
|
| 13 |
If we don't mind forcing devs & anybody using the signing functionality |
| 14 |
to replace old keys (they'd be well over a decade at this point), we can |
| 15 |
drop the length=8 variation in the regex. |
| 16 |
|
| 17 |
-- |
| 18 |
Robin Hugh Johnson |
| 19 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 20 |
E-Mail : robbat2@g.o |
| 21 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives