httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: PGP Verification
Date Sun, 30 Apr 2017 13:10:16 GMT
Am 30.04.2017 um 12:33 schrieb Luca Toscano:
> Hi Nick,
>
> 2017-04-30 1:23 GMT+02:00 Nick Kew <niq@apache.org <mailto:niq@apache.org>>:
>
>     I've made some updates to our PGP verification page.
>     They can be seen at
>     http://httpd.staging.apache.org/dev/verification.html
>     <http://httpd.staging.apache.org/dev/verification.html>
>
>     The reasons for updating it is that the old instructions
>     had become dangerously outdated, by virtue of using
>     32-bit keys as if they were secure.  As discussed in my
>     recent blog article at
>     https://bahumbug.wordpress.com/2017/04/27/pretty-good-phishing/
>     <https://bahumbug.wordpress.com/2017/04/27/pretty-good-phishing/>
>
>     Comment solicited.  I tried to preserve the shape of
>     the original with minimum change to introduce the reality
>     of 32-bit spoofing.
>
>
> Looks really good, thanks for doing it.

Thanks Nick.

In the meantime I learned from

https://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i

that you can add "--keyid-format long" to the verify command which will 
then directly show the signer key in the long format. So from there you 
can copy the long key format directly to the recv-keys command and thus 
reduce the risk of importing a wrong key.

The "--keyid-format long" can also be set as a config option in the 
gpg.conf file: "keyid-format long".

I find that very handy, because the long format seems a good compromise 
between the insecure short format and the full fingerprint. Setting the 
config option, one doesn't have to remember using the long one.

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message