Your message dated Sat, 12 Feb 2005 12:41:32 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#254692: why is checking the key ID required?
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jun 2004 11:56:14 +0000
>From [EMAIL PROTECTED] Wed Jun 16 04:56:14 2004
Return-path: <[EMAIL PROTECTED]>
Received: from post-20.mail.nl.demon.net [194.159.73.1]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BaZ1a-0001ll-00; Wed, 16 Jun 2004 04:56:14 -0700
Received: from [82.161.38.140] (helo=localhost)
by post-20.mail.nl.demon.net with esmtp (Exim 3.36 #2)
id 1BaZ1X-000AQ5-00; Wed, 16 Jun 2004 11:56:11 +0000
Received: by localhost (Postfix, from userid 1001)
id 83D5811D310; Wed, 16 Jun 2004 13:55:18 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Thomas Hood <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: On keysigning page, give better advice
X-Mailer: reportbug 2.61
Date: Wed, 16 Jun 2004 13:55:18 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: www.debian.org
Severity: normal
On the keysigning page
http://www.debian.org/events/keysigning
you should mention that participants should verify that the key ID
and key size of the key that they sign both correspond to those that
appear on the slip of paper that was received. (I.e., a comparison
of the fingerprint is not enough.) Furthermore, only user IDs that
appear on the slip of paper should be signed, and only user IDs that
have been signed by their owner should be signed.
See, e.g.,
http://www.uk.pgp.net/pgpnet/pgp-faq/pgp-faq-keys.html#key-public-key-forgery
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (900, 'unstable'), (700, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
---------------------------------------
Received: (at 254692-done) by bugs.debian.org; 12 Feb 2005 20:42:53 +0000
>From [EMAIL PROTECTED] Sat Feb 12 12:42:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from zoot.lafn.org [206.117.18.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D046O-0008Nl-00; Sat, 12 Feb 2005 12:42:52 -0800
Received: from localhost.localdomain (host-66-59-246-5.lcinet.net [66.59.246.5])
(authenticated bits=0)
by zoot.lafn.org (8.13.1/8.13.1) with ESMTP id j1CKfrgi021284
(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO);
Sat, 12 Feb 2005 12:42:09 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
Received: from kraai by localhost.localdomain with local (Exim 4.34)
id 1D0456-0000uj-6r; Sat, 12 Feb 2005 12:41:34 -0800
Date: Sat, 12 Feb 2005 12:41:32 -0800
From: Matt Kraai <[EMAIL PROTECTED]>
To: Thomas Hood <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Subject: Re: Bug#254692: why is checking the key ID required?
X-SA-Exim-Version: 4.2 (built Tue, 25 Jan 2005 19:51:04 +0000)
X-SA-Exim-Scanned: Yes (on localhost.localdomain)
X-Virus-Scanned: ClamAV version 0.82, clamav-milter version 0.82 on
zoot.lafn.org
X-Virus-Status: Clean
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Feb 11, 2005 at 12:07:48PM +0100, Thomas Hood wrote:
> On Fri, 2005-02-11 at 02:31 -0800, Matt Kraai wrote:
> > According to
> > http://www.uk.pgp.net/pgpnet/pgp-faq/pgp-faq-keys.html#key-public-key-=
forgery
> > it seems that the key fingerprint and key length should uniquely
> > identify a key. How would checking the key ID thwart an attacker?
>=20
>=20
> >From the page you refer to:
> > A: As explained in question Can a public key be forged?, each
> > component of the public key can be faked. It is, however, not possible
> > to create a fake key for which all the components match.
> >=20
> > For this reason, you should always verify that key ID, fingerprint,
> > and key size correspond when you are about to use someone's key. And
> > when you sign a user ID, make sure it is signed by the key's owner!
> >=20
> > Similarly, if you want to provide information about your key, include
> > key ID, fingerprint and key size.
>=20
>=20
> For the keys that Debian uses at least, the fingerprint includes the key
> ID as the last eight hex digits, so it suffices to verify that the whole
> fingerprint and the key size correspond.
OK, I've updated the page.
--=20
Matt
--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCDmn7fNdgYxVXvBARAlDwAKCQ1hmkDdtTUaRGpqy1owTJap4PBgCfbQcb
ef8IZy8eEsrjttn/PxQIfFs=
=alFO
-----END PGP SIGNATURE-----
--vtzGhvizbBRQ85DL--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
