On 19/05/17 21:23, Jonathan K. Bullard wrote: [...snip...] >> Right now the signature situation is a bit confusing, as 2.4.2 is still >> signed with my new key, and 2.3.16 is using the secur...@openvpn.net >> key. That is all documented here, though: >> >> <https://openvpn.net/index.php/open-source/documentation/sig.html> > > OK, I get that, but the key file from the link David provided (and > which was also in his reply to the email announcing 2.3.16): > > <http://pgp.mit.edu/pks/lookup?op=get&search=0x12F5F7B42F2B01E7> > > is not identical to the "Security mailing list GPG key" I just > downloaded from the "sig" page. > > Is that a problem?
What is the difference you see? To mem both looks identical when importing them into GPG. But I haven't dug too deep into the details. One detail though, the "real" key ID is always the finger print. Then there is two types of key IDs, one short and one long. But those are just from the last bytes from the fingerprint. Key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 Key ID - long: 12F5 F7B4 2F2B 01E7 Key ID - short: 2F2B 01E7 When I import both keys into the different brand new GPG key rings, I do get the same result when listing these keys. But I haven't dug too deep into the context. Plus the pgp.mit.edu site might have done some non-critical, minor changes in how the key looks like - compared to Samuli's version. That said, this security key is based upon the recommended sub-key approach [0]. That means that those of us among the developers can only use that key for signing and decryption data and with a fairly short lifetime (1 year). They are not capable to sign other keys, updating the lifetime of the keys or any operation requiring the master key. So I highly doubt Samuli have done anything special with that key. Only I have the master key, which is well stored on a protected medium which is offline the very most of the time. [0] <https://alexcabal.com/creating-the-perfect-gpg-keypair/> -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel