Bug#254692: marked as done (On keysigning page, give better advice)

To: Matt Kraai <kraai@ftbfs.org>
Cc: James Treacy and others <debian-www@lists.debian.org>
Subject: Bug#254692: marked as done (On keysigning page, give better advice)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 12 Feb 2005 12:48:16 -0800
Message-id: <[🔎] handler.254692.D254692.110824097332237.ackdone@bugs.debian.org>
In-reply-to: <20050212204131.GA2725@localhost.localdomain>
References: <20050212204131.GA2725@localhost.localdomain> <20040616115518.83D5811D310@localhost>

Your message dated Sat, 12 Feb 2005 12:41:32 -0800
with message-id <20050212204131.GA2725@localhost.localdomain>
and subject line Bug#254692: why is checking the key ID required?
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jun 2004 11:56:14 +0000
>From jdthood@yahoo.co.uk Wed Jun 16 04:56:14 2004
Return-path: <jdthood@yahoo.co.uk>
Received: from post-20.mail.nl.demon.net [194.159.73.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BaZ1a-0001ll-00; Wed, 16 Jun 2004 04:56:14 -0700
Received: from [82.161.38.140] (helo=localhost)
	by post-20.mail.nl.demon.net with esmtp (Exim 3.36 #2)
	id 1BaZ1X-000AQ5-00; Wed, 16 Jun 2004 11:56:11 +0000
Received: by localhost (Postfix, from userid 1001)
	id 83D5811D310; Wed, 16 Jun 2004 13:55:18 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Thomas Hood <jdthood@yahoo.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: On keysigning page, give better advice
X-Mailer: reportbug 2.61
Date: Wed, 16 Jun 2004 13:55:18 +0200
Message-Id: <20040616115518.83D5811D310@localhost>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: www.debian.org
Severity: normal

On the keysigning page

    http://www.debian.org/events/keysigning

you should mention that participants should verify that the key ID
and key size of the key that they sign both correspond to those that
appear on the slip of paper that was received.  (I.e., a comparison
of the fingerprint is not enough.)  Furthermore, only user IDs that
appear on the slip of paper should be signed, and only user IDs that
have been signed by their owner should be signed.

See, e.g.,
http://www.uk.pgp.net/pgpnet/pgp-faq/pgp-faq-keys.html#key-public-key-forgery

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (900, 'unstable'), (700, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=en_IE@euro, LC_CTYPE=en_IE@euro

---------------------------------------
Received: (at 254692-done) by bugs.debian.org; 12 Feb 2005 20:42:53 +0000
>From kraai@lafn.org Sat Feb 12 12:42:53 2005
Return-path: <kraai@lafn.org>
Received: from zoot.lafn.org [206.117.18.6] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D046O-0008Nl-00; Sat, 12 Feb 2005 12:42:52 -0800
Received: from localhost.localdomain (host-66-59-246-5.lcinet.net [66.59.246.5])
	(authenticated bits=0)
	by zoot.lafn.org (8.13.1/8.13.1) with ESMTP id j1CKfrgi021284
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO);
	Sat, 12 Feb 2005 12:42:09 -0800 (PST)
	(envelope-from kraai@lafn.org)
Received: from kraai by localhost.localdomain with local (Exim 4.34)
	id 1D0456-0000uj-6r; Sat, 12 Feb 2005 12:41:34 -0800
Date: Sat, 12 Feb 2005 12:41:32 -0800
From: Matt Kraai <kraai@ftbfs.org>
To: Thomas Hood <jdthood@aglu.demon.nl>, 254692-done@bugs.debian.org
Message-ID: <20050212204131.GA2725@localhost.localdomain>
References: <20050211103117.GB3883@localhost.localdomain> <1108120068.10175.40.camel@thanatos>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline
In-Reply-To: <1108120068.10175.40.camel@thanatos>
User-Agent: Mutt/1.5.6+20040907i
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: kraai@lafn.org
Subject: Re: Bug#254692: why is checking the key ID required?
X-SA-Exim-Version: 4.2 (built Tue, 25 Jan 2005 19:51:04 +0000)
X-SA-Exim-Scanned: Yes (on localhost.localdomain)
X-Virus-Scanned: ClamAV version 0.82, clamav-milter version 0.82 on zoot.lafn.org
X-Virus-Status: Clean
Delivered-To: 254692-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 11, 2005 at 12:07:48PM +0100, Thomas Hood wrote:
> On Fri, 2005-02-11 at 02:31 -0800, Matt Kraai wrote:
> > According to
> >  http://www.uk.pgp.net/pgpnet/pgp-faq/pgp-faq-keys.html#key-public-key-=
forgery
> > it seems that the key fingerprint and key length should uniquely
> > identify a key.  How would checking the key ID thwart an attacker?
>=20
>=20
> >From the page you refer to:
> > A: As explained in question Can a public key be forged?, each
> > component of the public key can be faked. It is, however, not possible
> > to create a fake key for which all the components match.
> >=20
> > For this reason, you should always verify that key ID, fingerprint,
> > and key size correspond when you are about to use someone's key. And
> > when you sign a user ID, make sure it is signed by the key's owner!
> >=20
> > Similarly, if you want to provide information about your key, include
> > key ID, fingerprint and key size.
>=20
>=20
> For the keys that Debian uses at least, the fingerprint includes the key
> ID as the last eight hex digits, so it suffices to verify that the whole
> fingerprint and the key size correspond.

OK, I've updated the page.

--=20
Matt

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCDmn7fNdgYxVXvBARAlDwAKCQ1hmkDdtTUaRGpqy1owTJap4PBgCfbQcb
ef8IZy8eEsrjttn/PxQIfFs=
=alFO
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--

Reply to:

Prev by Date: Bug#294857: please mention upgrade-install in "Release Notes" chapter "Reporting Bugs"
Next by Date: Re: Bug#251813: marked as done (Sarge install manual not available in an obvious place)
Previous by thread: Bug#294857: please mention upgrade-install in "Release Notes" chapter "Reporting Bugs"
Next by thread: issue with Debian Lithuanian site
Index(es):
- Date
- Thread