LuKreme wrote: > I read the man page, where there is no mention of how to obtain this > number. In fact, I read many posts, and many webpages and have still not > found that information. I've seen the IDs in others posts, sure, but > where do they originate? > > Even searching the wiki (which just links to the previously linked > http://taint.org/2007/08/15/004348a.html )is merely a "here's the > random-looking digits you pass to --gpgkey" and not a "here's what the > --gpgkey is, means, and how it's generated".
These numbers are a way of identifying those keys. They are a cryptographically strong hash: the idea is that it’s easy for users to use numbers that short to confirm that the key they’ve received is the key they thought they were receiving, and very difficult for any attacker to generate another key with the same hash. > Why doesn't sa-learn simply trust the keys that are added to its > keychain without this extra (and at least for me, confusing) step? I'm > starting to think the simplest way to do this is just ignore the gpg > flags entirely and use --nogpg. What's the downside to this (other than > the obvious DNS hijacking to point the URL to some spammer site with bad > data which seems a remote enough chance to ignore). That’s your choice. Hope this helps, James. -- E-mail: james@ | “Right lads, we’ve got 45 minutes to score 37 goals. aprilcottage.co.uk | No problem with that -- the other team just did.”
