Paul Wouters wrote: >On Wed, 28 Jan 2015, Till Maas wrote: >> | 5) almost all these keys are old keys of which I could forge a fake >> | matching keyid and upload it to public key servers. >> >> Can you explain this? For which keys is this not possiblea > >https://github.com/coruus/cooperpair/tree/master/keysteak > >Only v4 keys are safe. > >> This is afaik >> the reason why a keyid is not so useful, but a full fingerprint is. > >Right. Although to make the v3 keys safe to use, I understood that the >way one generates/shows a fingerprint would change, so therefor the old >vulnerable fingerprint would change anyway, so you might as well just >generate a new v4 key. Hmm? An old key that I generated in 1998 appears to be version 4. I'll be quite surprised if "almost all" of the Fedora contributors who have entered key IDs in FAS are using keys that are even older than that. I'd be much more ready to believe that almost all of them have entered fakeable 32-bit key IDs of their version 4 keys instead of the more secure 64-bit key IDs. -- Björn Persson
Attachment:
pgpmpZVMJtTKb.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
