On Wed, Feb 12, 2020 at 11:14:32PM +0100, Björn Persson wrote: > Kevin Fenzi wrote: > > well, they are already pretty bad because fas just stores the short > > version, which has been subject to duplicates for... years now? > > My FAS account shows a 64-bit key ID. Yours shows 32 bits. I guess it > displays what you give it. As far as I have heard only 32-bit key IDs > have been duplicated. > > It would be better if the user interface didn't require users to know > such details. Yeah, we may have added a change to let you specify the longer one at some point. Not sure. > > > Not sure what best to do here. I fear gpg is pretty much a failure these > > days and we need something better, but I am not sure what that is. > > I think GnuPG is best thought of as a building block, essentially a > library that programs can use for their encryption and authentication > needs. It works well when used that way, for example by RPM/Yum. Viewed > as a tool, it's only usable to crypto nerds. Agreed. > The "web of trust" is clearly not working. In the more than 21 years > I've had PGP keys I have never once been able to validate a key through > a chain of signatures. The attack on SKS is another nail in its coffin. > Another certification method is needed, and WKD is one candidate. well, WKD just replaces the 'web of trust' part, the rest of gpg/pgp is still there: horrible setup, poor docs, configuration thats a nightmare, etc. Sadly, I don't know what the answer is, but getting more than just nerds using gpg is not going to happen. ;( kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
