On Wed, Jan 28, 2015 at 06:10:13PM -0500, Paul Wouters wrote: > On Wed, 28 Jan 2015, Till Maas wrote: > > >The keyid is part of the fingerprint, so with the fingerprint one can > >download the key and verify it. Therefore it is the only right thing to > >do. > > I'm not saying don't store the fingerprint, but use a separate field for > that which is not the keyid field. People write the fingerprint in > various different syntaxes, using : or - or " ", etc. The keyid is worthless, because the fingerprint always needs to be checked. So even with a second field there would be a problem with extra characters that can be easily solved by just ignoring any non hexadecimal key. Enforcing to store fingerprints is a planned feature for the new FAS: https://github.com/fedora-infra/fas/issues/53 > >| 5) almost all these keys are old keys of which I could forge a fake > >| matching keyid and upload it to public key servers. > > > >Can you explain this? For which keys is this not possiblea > > https://github.com/coruus/cooperpair/tree/master/keysteak > > Only v4 keys are safe. They are not safe. This was what was shown at https://evil32.com/ > >Thank you for promoting GPG usage. Did you think about > >adding unique uids to Fedora release GPG keys to make them available > >this way as well? > > I thought about it but we don't use unique email addresses for different > release keys. So they would all be under fedora@xxxxxxxxxxxxxxxxx. > > I could put them under fedoraXX@xxxxxxxxxxxxxxxxx ? There are two keys per release, one for primary and one for secondary archs. I opened a rel-eng ticket, so we can discuss it there or on the next meeting, but the next two meetings might be skipped due to conference travelling: https://fedorahosted.org/rel-eng/ticket/6096 Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
