On Fri, May 19, 2017 at 6:41 PM, David Sommerseth <[email protected]> wrote: > On 19/05/17 21:23, Jonathan K. Bullard wrote: [snip] > > OK, I get that, but the key file from the link David provided (and > > which was also in his reply to the email announcing 2.3.16): > > > > <http://pgp.mit.edu/pks/lookup?op=get&search=0x12F5F7B42F2B01E7> > > > > is not identical to the "Security mailing list GPG key" I just > > downloaded from the "sig" page. > > > > Is that a problem? > > What is the difference you see? To mem both looks identical when > importing them into GPG. But I haven't dug too deep into the details.
The contents of the files were different, which bothered me. I now understand that that is OK -- I apologize for being too paranoid :) They import identically for me, so all is well. > One detail though, the "real" key ID is always the finger print. Then > there is two types of key IDs, one short and one long. But those are > just from the last bytes from the fingerprint. > > Key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 > Key ID - long: 12F5 F7B4 2F2B 01E7 > Key ID - short: 2F2B 01E7 Ah. Thanks for the explanation. That makes sense! :) > When I import both keys into the different brand new GPG key rings, I do > get the same result when listing these keys. But I haven't dug too deep > into the context. Plus the pgp.mit.edu site might have done some > non-critical, minor changes in how the key looks like - compared to > Samuli's version. Yes, that's apparently what happened. > That said, this security key is based upon the recommended sub-key > approach [0]. That means that those of us among the developers can only > use that key for signing and decryption data and with a fairly short > lifetime (1 year). They are not capable to sign other keys, updating > the lifetime of the keys or any operation requiring the master key. So > I highly doubt Samuli have done anything special with that key. Only I > have the master key, which is well stored on a protected medium which is > offline the very most of the time. > > > [0] <https://alexcabal.com/creating-the-perfect-gpg-keypair/> Thank you for your clear explanations, David -- and your patience! Best regards, Jon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
