From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RirZq-0006AH-C2 for garchives@archives.gentoo.org; Thu, 05 Jan 2012 17:58:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7DC8C21C0D5; Thu, 5 Jan 2012 17:57:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 97A4D21C07B for ; Thu, 5 Jan 2012 17:57:47 +0000 (UTC) Received: from phjr-macbookpro.local (fi122.internetdsl.tpnet.pl [80.53.34.122]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id 9AE881B405A for ; Thu, 5 Jan 2012 17:57:40 +0000 (UTC) Message-ID: <4F05E48F.3040802@gentoo.org> Date: Thu, 05 Jan 2012 18:57:35 +0100 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] let's stop using short gpg key ids, that's insecure References: <4F01C37B.6000305@gentoo.org> <20120102181752.27c70a7f@pomiocik.lan> In-Reply-To: <20120102181752.27c70a7f@pomiocik.lan> X-Enigmail-Version: 1.3.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA143D791F0E911C19320E596" X-Archives-Salt: b0b32c5f-5d01-4879-b260-af1bd38fdf77 X-Archives-Hash: e302c0e0f51c835bb6ecc39cd16ebaa3 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA143D791F0E911C19320E596 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 1/2/12 6:17 PM, Micha=C5=82 G=C3=B3rny wrote: > Insecure to what? It's easy to confuse keys that way. I'm not saying that it results in an immediate compromise or that it's urgent, but if we can make it harder to confuse keys, why not do that? > The trust model of PGP is not based on key > IDs. The short IDs are only used to let users grab our keys at will; > and as the blog post shows, GPG handles repeating key IDs just fine. Do all developer keys have at least one signature of some other key? In the absence of signatures (and how does the user verify that those have been made by developers?), what users have is our list of short key IDs. --------------enigA143D791F0E911C19320E596 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk8F5JAACgkQuUQtlDBCeQKMCgCfdXLGp925ngpVk3EiP9AJhGXN ZycAoICYLj5lrnonHz9qhCMVEgmbEtBe =UlEk -----END PGP SIGNATURE----- --------------enigA143D791F0E911C19320E596--