NowpPublishing fedora developer PGP keys in DNSSEC
Till Maas
opensource at till.name
Wed Jan 28 21:02:43 UTC 2015
On Wed, Jan 28, 2015 at 03:34:02PM -0500, Paul Wouters wrote:
| Note that during FAS processing I found out that:
|
| 1) there are many nonsense values instead of keyid's in the fas field
| (some put in their fingerprint, which is not useful without a key,
| some had multiple keyids, and one person managed to unicode kill
| python-gnupg by putting their name in there)
The keyid is part of the fingerprint, so with the fingerprint one can
download the key and verify it. Therefore it is the only right thing to
do.
| 5) almost all these keys are old keys of which I could forge a fake
| matching keyid and upload it to public key servers.
Can you explain this? For which keys is this not possible? This is afaik
the reason why a keyid is not so useful, but a full fingerprint is.
There is also someone who created such keys for all keys:
https://evil32.com/
Thank you for promoting GPG usage. Did you think about
adding unique uids to Fedora release GPG keys to make them available
this way as well?
Regards
Till
More information about the devel
mailing list