[gentoo-project] let's stop using short gpg key ids, that's insecure

[gentoo-project] let's stop using short gpg key ids, that's insecure

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

You've probably read (or should)
<http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
which describes why using short gpg key ids is insecure.

Note it's about IDs, i.e. 0x30427902 vs. 0xB9442D9430427902 (it's short
and long ID of my current key), not the keys themselves. That means no
need to change keys, just change the way we display them on web pages
and possibly in other places.

What do you think? Should I file a bug to convert e.g.
http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
only have short key IDs in LDAP, which would require everyone to submit
the full ID?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

Re: [gentoo-project] let's stop using short gpg key ids, that's insecure

[Chí-Thanh Christopher Nguyễn]

"Paweł Hajdan, Jr." schrieb:
> You've probably read (or should)
> <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
> which describes why using short gpg key ids is insecure.

I came across this blog post via the slashdot story
http://yro.slashdot.org/story/11/12/27/0044242/gnupg-short-id-collision-has-occurred
and frankly I am not convinced that there is an actual security problem.
The short ID is just for easy finding of the key. It is not intended for
unique GPG key identification, and anybody who uses it that way deserves
a good beating with the cluebat.

Best regards,
Chí-Thanh Christopher Nguyễn

Re: [gentoo-project] let's stop using short gpg key ids, that's insecure

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

On Mon, 02 Jan 2012 15:47:23 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@gentoo.org> wrote:

> You've probably read (or should)
> <http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html>
> which describes why using short gpg key ids is insecure.

Insecure to what? In the same manner, you can say that using your first
and surname is insecure.

> What do you think? Should I file a bug to convert e.g.
> http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml ? Or do we
> only have short key IDs in LDAP, which would require everyone to
> submit the full ID?

There's no reason to panic. The trust model of PGP is not based on key
IDs. The short IDs are only used to let users grab our keys at will;
and as the blog post shows, GPG handles repeating key IDs just fine.
I think we can afford that one a million times users will download one
additional key.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

Re: [gentoo-project] let's stop using short gpg key ids, that's insecure

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 662 bytes --]

On 1/2/12 6:17 PM, Michał Górny wrote:
> Insecure to what?

It's easy to confuse keys that way. I'm not saying that it results in an
immediate compromise or that it's urgent, but if we can make it harder
to confuse keys, why not do that?

> The trust model of PGP is not based on key
> IDs. The short IDs are only used to let users grab our keys at will;
> and as the blog post shows, GPG handles repeating key IDs just fine.

Do all developer keys have at least one signature of some other key? In
the absence of signatures (and how does the user verify that those have
been made by developers?), what users have is our list of short key IDs.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

Re: [gentoo-project] let's stop using short gpg key ids, that's insecure

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1080 bytes --]

On Thu, 05 Jan 2012 18:57:35 +0100
""Paweł Hajdan, Jr."" <phajdan.jr@gentoo.org> wrote:

> On 1/2/12 6:17 PM, Michał Górny wrote:
> > Insecure to what?
> 
> It's easy to confuse keys that way. I'm not saying that it results in
> an immediate compromise or that it's urgent, but if we can make it
> harder to confuse keys, why not do that?

I don't say that we should or shouldn't do that. I just say that we
shouldn't say it will improve any kind of 'security'.

> > The trust model of PGP is not based on key
> > IDs. The short IDs are only used to let users grab our keys at will;
> > and as the blog post shows, GPG handles repeating key IDs just fine.
> 
> Do all developer keys have at least one signature of some other key?
> In the absence of signatures (and how does the user verify that those
> have been made by developers?), what users have is our list of short
> key IDs.

And how can they verify that list? I don't think there's a reason to
trust it, and I don't think most of us care about it at all.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]