[Catalog-sig] User profile: PGP Key ID

Daniel Holth dholth at gmail.com
Wed Feb 20 21:02:00 CET 2013


On Wed, Feb 20, 2013 at 2:56 PM, Giovanni Bajo <rasky at develer.com> wrote:

> Il giorno 20/feb/2013, alle ore 19:44, Bernhard Seibold <
> bernhard.seibold at gmail.com> ha scritto:
>
> > Hi!
> >
> > I noticed that in the user profile, the PGP Key ID is 8 hex digits only.
> This is a bad idea:
> >
> > http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
> >
> > Honestly I don't know what that Key ID is used for, but it should be
> either fixed or removed.
>
>
>
> Thanks, we are in the process of defining an overhaul of the security of
> PyPI, and removing short key IDs is already considered:
>
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit
>
> (see task #10: Use GPG key fingerprints instead of short IDs)
>

You know how to do S/MIME; how much harder would it be to use X.509
signatures as are supported with openssl and bundled GUI cert managers on
all OSs?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130220/68177d08/attachment-0001.html>


More information about the Catalog-SIG mailing list