Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project@l.g.o
Cc: phajdan.jr@g.o
Subject: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure
Date: Mon, 02 Jan 2012 17:17:18
Message-Id: 20120102181752.27c70a7f@pomiocik.lan
In Reply to: [gentoo-project] let's stop using short gpg key ids, that's insecure by "Paweł Hajdan
On Mon, 02 Jan 2012 15:47:23 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote:

> You've probably read (or should) > <> > which describes why using short gpg key ids is insecure.
Insecure to what? In the same manner, you can say that using your first and surname is insecure.
> What do you think? Should I file a bug to convert e.g. > ? Or do we > only have short key IDs in LDAP, which would require everyone to > submit the full ID?
There's no reason to panic. The trust model of PGP is not based on key IDs. The short IDs are only used to let users grab our keys at will; and as the blog post shows, GPG handles repeating key IDs just fine. I think we can afford that one a million times users will download one additional key. -- Best regards, Michał Górny


File name MIME type
signature.asc application/pgp-signature