On Wed, 28 Jan 2015, Till Maas wrote:
The keyid is part of the fingerprint, so with the fingerprint one can download the key and verify it. Therefore it is the only right thing to do.
I'm not saying don't store the fingerprint, but use a separate field for that which is not the keyid field. People write the fingerprint in various different syntaxes, using : or - or " ", etc.
| 5) almost all these keys are old keys of which I could forge a fake | matching keyid and upload it to public key servers. Can you explain this? For which keys is this not possiblea
https://github.com/coruus/cooperpair/tree/master/keysteak Only v4 keys are safe.
This is afaik the reason why a keyid is not so useful, but a full fingerprint is.
Right. Although to make the v3 keys safe to use, I understood that the way one generates/shows a fingerprint would change, so therefor the old vulnerable fingerprint would change anyway, so you might as well just generate a new v4 key.
Thank you for promoting GPG usage. Did you think about adding unique uids to Fedora release GPG keys to make them available this way as well?
I thought about it but we don't use unique email addresses for different release keys. So they would all be under fedora@xxxxxxxxxxxxxxxxx. I could put them under fedoraXX@xxxxxxxxxxxxxxxxx ? Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
