Kevin Fenzi wrote: > well, they are already pretty bad because fas just stores the short > version, which has been subject to duplicates for... years now? My FAS account shows a 64-bit key ID. Yours shows 32 bits. I guess it displays what you give it. As far as I have heard only 32-bit key IDs have been duplicated. It would be better if the user interface didn't require users to know such details. > Not sure what best to do here. I fear gpg is pretty much a failure these > days and we need something better, but I am not sure what that is. I think GnuPG is best thought of as a building block, essentially a library that programs can use for their encryption and authentication needs. It works well when used that way, for example by RPM/Yum. Viewed as a tool, it's only usable to crypto nerds. The "web of trust" is clearly not working. In the more than 21 years I've had PGP keys I have never once been able to validate a key through a chain of signatures. The attack on SKS is another nail in its coffin. Another certification method is needed, and WKD is one candidate. Björn Persson
Attachment:
pgpbUoT6tAtpb.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
