Am 30.04.2017 um 12:33 schrieb Luca Toscano:
Hi Nick,
2017-04-30 1:23 GMT+02:00 Nick Kew <n...@apache.org <mailto:n...@apache.org>>:
I've made some updates to our PGP verification page.
They can be seen at
http://httpd.staging.apache.org/dev/verification.html
<http://httpd.staging.apache.org/dev/verification.html>
The reasons for updating it is that the old instructions
had become dangerously outdated, by virtue of using
32-bit keys as if they were secure. As discussed in my
recent blog article at
https://bahumbug.wordpress.com/2017/04/27/pretty-good-phishing/
<https://bahumbug.wordpress.com/2017/04/27/pretty-good-phishing/>
Comment solicited. I tried to preserve the shape of
the original with minimum change to introduce the reality
of 32-bit spoofing.
Looks really good, thanks for doing it.
Thanks Nick.
In the meantime I learned from
https://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i
that you can add "--keyid-format long" to the verify command which will
then directly show the signer key in the long format. So from there you
can copy the long key format directly to the recv-keys command and thus
reduce the risk of importing a wrong key.
The "--keyid-format long" can also be set as a config option in the
gpg.conf file: "keyid-format long".
I find that very handy, because the long format seems a good compromise
between the insecure short format and the full fingerprint. Setting the
config option, one doesn't have to remember using the long one.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
