Now Publishing fedora developer PGP keys in DNSSEC
Björn Persson
Bjorn at xn--rombobjrn-67a.se
Sun Feb 1 19:37:19 UTC 2015
Paul Wouters wrote:
>On Wed, 28 Jan 2015, Till Maas wrote:
>> | 5) almost all these keys are old keys of which I could forge a fake
>> | matching keyid and upload it to public key servers.
>>
>> Can you explain this? For which keys is this not possiblea
>
>https://github.com/coruus/cooperpair/tree/master/keysteak
>
>Only v4 keys are safe.
>
>> This is afaik
>> the reason why a keyid is not so useful, but a full fingerprint is.
>
>Right. Although to make the v3 keys safe to use, I understood that the
>way one generates/shows a fingerprint would change, so therefor the old
>vulnerable fingerprint would change anyway, so you might as well just
>generate a new v4 key.
Hmm? An old key that I generated in 1998 appears to be version 4. I'll
be quite surprised if "almost all" of the Fedora contributors who have
entered key IDs in FAS are using keys that are even older than that.
I'd be much more ready to believe that almost all of them have entered
fakeable 32-bit key IDs of their version 4 keys instead of the more
secure 64-bit key IDs.
--
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150201/266dae27/attachment.sig>
More information about the devel
mailing list