On Wed, Jan 28, 2015 at 03:34:02PM -0500, Paul Wouters wrote: | Note that during FAS processing I found out that: | | 1) there are many nonsense values instead of keyid's in the fas field | (some put in their fingerprint, which is not useful without a key, | some had multiple keyids, and one person managed to unicode kill | python-gnupg by putting their name in there) The keyid is part of the fingerprint, so with the fingerprint one can download the key and verify it. Therefore it is the only right thing to do. | 5) almost all these keys are old keys of which I could forge a fake | matching keyid and upload it to public key servers. Can you explain this? For which keys is this not possible? This is afaik the reason why a keyid is not so useful, but a full fingerprint is. There is also someone who created such keys for all keys: https://evil32.com/ Thank you for promoting GPG usage. Did you think about adding unique uids to Fedora release GPG keys to make them available this way as well? Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
