From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A5E66139694 for ; Fri, 4 Aug 2017 04:10:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ECF22E0C63; Fri, 4 Aug 2017 04:10:00 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C1881E0C63 for ; Fri, 4 Aug 2017 04:10:00 +0000 (UTC) Received: from gentoo.org (unknown [IPv6:2001:470:e1cc:3::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: prometheanfire) by smtp.gentoo.org (Postfix) with ESMTPSA id 1B772341908 for ; Fri, 4 Aug 2017 04:09:58 +0000 (UTC) Date: Thu, 3 Aug 2017 23:09:54 -0500 From: Matthew Thode To: gentoo-nfp@lists.gentoo.org Subject: Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting) Message-ID: <20170804040954.GA20444@gentoo.org> References: <22915.1353.636537.877268@a1i15.kph.uni-mainz.de> <6816941.jZOj2AacRr@porto> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-nfp@lists.gentoo.org Reply-To: gentoo-nfp@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline In-Reply-To: <6816941.jZOj2AacRr@porto> User-Agent: Mutt/1.8.3 (2017-05-23) X-Archives-Salt: 6df10275-f38e-45e2-bf71-1177e4449322 X-Archives-Hash: 3b0a0bca1e9ea5c1a161b705832f1391 --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 17-08-04 05:51:38, Andreas K. Huettel wrote: > > > >Apparently, the Foundation only has a list of PGP key IDs in > > > >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most > > > >IDs listed there are only 32 bit IDs, providing no security at all. > > > > > > > >I would like to ask the Foundation to keep a list with the (160 bit) > > > >PGP fingerprints of its members. (For developers, this information > > > >should be readily available in LDAP.) > > > > > > > >Ulrich > >=20 > > What do we need to prove? > >=20 > > That the the key belongs to a given individual or just that the key on = the > > vote is the same as the key used for the membership application.? > >=20 >=20 > That the key on the vote is the same as the key used for the membership= =20 > application. >=20 > This is impossible without the full fingerprint.=20 > And with only the short keyid it's trivial to hack. >=20 > --=20 > Andreas K. H=C3=BCttel > dilfridge@gentoo.org > Gentoo Linux developer (council, perl, libreoffice) >=20 I think we should just record the full key id, would we still need to also have the fingerprint in that case? --=20 Matthew Thode (prometheanfire) --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEExFR3cOKGRpGbcMHPZKN76q4ZpOgFAlmD83cACgkQZKN76q4Z pOjZ+RAAhdj8nvX296v/NpMk0T7oNtKi665D0tyI3lnX+cfUdYZbP3ebSzp3rljF vi7mRowmHO8Cbh3EERLnbfUdcr6+ZE5ZogSRPi0Ahxz/FduEY7RuQVVWLqj54xBu T1Hqw5D7PlwY90U/a4fDT61JBYsEkvtAPBr2EhpmsQQbRacTwPU66qqaCmLLA34m O1mCOCjoRUbpltbB/emAF5+LM8C8+45AwWzQ5hSHdgMWk34WJ0Hl7Wh7mxfgSB5/ JE5BNwmjYDnP2mQgvLWZDogRlcq1S7ydnoK36YNkvaGDWKb6pARZMurnFNqrd01k d5gXGztg7hqM4YaN8JRBIxCVjYD4WxQhWt6y1jc7l3YuxU+ai9/koiTDZONzjuSz mlNIfyc71cpOC1ym32AujdVVgvNRRteFF8OyeQxBHwZQ2ZMIo99n+/KzeYP/PsZg hGh1drKwcOSOTCjmIg7y5+TSzUfDc64WbvL+C5yEyu0hL8LRyKJkToqncGSFBwCk PSs/+TPdp+dIZZavay0LXUaUkk+qpk0BTlt2lyeUfRN5gcBRQr4nUhzBWBcYy327 ALAMY9uy50ZKytgygAKP/JhIFf9ke0TNUXQ4Av0WBqmBWsMpvt71h5j2OT6CyYoW TfscbSH030mXvGFfCS5bl+D0PEyFwoxwsBXsBOG7Qyl4NSSpSz0= =3+OH -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv--