From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RhlVe-0006Du-EO for garchives@archives.gentoo.org; Mon, 02 Jan 2012 17:17:18 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A5CD421C29C; Mon, 2 Jan 2012 17:16:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id BCCB021C2DA for ; Mon, 2 Jan 2012 17:16:43 +0000 (UTC) Received: from pomiocik.lan (unknown [81.219.203.13]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 41A4A1B4009; Mon, 2 Jan 2012 17:16:42 +0000 (UTC) Date: Mon, 2 Jan 2012 18:17:52 +0100 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: gentoo-project@lists.gentoo.org Cc: phajdan.jr@gentoo.org Subject: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure Message-ID: <20120102181752.27c70a7f@pomiocik.lan> In-Reply-To: <4F01C37B.6000305@gentoo.org> References: <4F01C37B.6000305@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.8; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA256; boundary="Sig_/KQ7ngtlKyPEhmozWpz+gXQs"; protocol="application/pgp-signature" X-Archives-Salt: c39ab078-982b-4e30-9567-c32b2ccd31f3 X-Archives-Hash: a1bb4d3e8ecbf8440c5f033b82fb4eca --Sig_/KQ7ngtlKyPEhmozWpz+gXQs Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 02 Jan 2012 15:47:23 +0100 ""Pawe=C5=82 Hajdan, Jr."" wrote: > You've probably read (or should) > > which describes why using short gpg key ids is insecure. Insecure to what? In the same manner, you can say that using your first and surname is insecure. > What do you think? Should I file a bug to convert e.g. > http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we > only have short key IDs in LDAP, which would require everyone to > submit the full ID? There's no reason to panic. The trust model of PGP is not based on key IDs. The short IDs are only used to let users grab our keys at will; and as the blog post shows, GPG handles repeating key IDs just fine. I think we can afford that one a million times users will download one additional key. --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/KQ7ngtlKyPEhmozWpz+gXQs Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iJwEAQEIAAYFAk8B5sEACgkQfXuS5UK5QB3WMQP/Qjs+WPYtfIJGFmP0as+w3g1E d/MUtTfhc/lqEzLdLouHbnQRgJ2cwgx3ipgEeWKfiYr1ThOqSO7CDh9CLpF0FUNQ BQct/sDAeGYlmv/Wl2LNmWNbd/W0vENCU4+uW9XrTqb1qC/2k+6iVEagHN7EiRwU VR0Tnidv2XR/KgyMGT4= =drSE -----END PGP SIGNATURE----- --Sig_/KQ7ngtlKyPEhmozWpz+gXQs--