Now Publishing fedora developer PGP keys in DNSSEC
Paul Wouters
paul at nohats.ca
Wed Jan 28 23:10:13 UTC 2015
On Wed, 28 Jan 2015, Till Maas wrote:
> The keyid is part of the fingerprint, so with the fingerprint one can
> download the key and verify it. Therefore it is the only right thing to
> do.
I'm not saying don't store the fingerprint, but use a separate field for
that which is not the keyid field. People write the fingerprint in
various different syntaxes, using : or - or " ", etc.
> | 5) almost all these keys are old keys of which I could forge a fake
> | matching keyid and upload it to public key servers.
>
> Can you explain this? For which keys is this not possiblea
https://github.com/coruus/cooperpair/tree/master/keysteak
Only v4 keys are safe.
> This is afaik
> the reason why a keyid is not so useful, but a full fingerprint is.
Right. Although to make the v3 keys safe to use, I understood that the
way one generates/shows a fingerprint would change, so therefor the old
vulnerable fingerprint would change anyway, so you might as well just
generate a new v4 key.
> Thank you for promoting GPG usage. Did you think about
> adding unique uids to Fedora release GPG keys to make them available
> this way as well?
I thought about it but we don't use unique email addresses for different
release keys. So they would all be under fedora at fedoraproject.org.
I could put them under fedoraXX at fedoraproject.org ?
Paul
More information about the devel
mailing list