[1.4.0] hidden recipient vs. ID 00000000

David Shaw dshaw at jabberwocky.com
Sun Jan 30 00:18:19 CET 2005

On Sat, Jan 29, 2005 at 11:08:36PM +0100, Florian Weimer wrote:
> * David Shaw:
> >> All-0 is not a valid V3 key ID because its LSB is not set.  All-1 is
> >> theoretically valid, but rather unlikely (it imposes rather strict
> >> requirements on the lower bits in both prime factors).
> >
> > True, but it doesn't matter in this case since all-0 and all-1 are
> > both valid in the context of the key ID in a session key packet since
> > v4 keys can be all-0 or all-1.
> But this is extremely unlikely.

Indeed.  1 in 2^64 chance for either.

> Currently, it's not computationally feasible to create such V4 keys.

Not computationally feasible to create such a collision, but I'm
talking about a natural collision: the all-0 or all-1 key ID has the
same chance as any other key ID in v4.  Which is to say very, very
unlikely but not zero.

> IMHO, RFC 2440bis should even outlaw generation of keys which such
> key IDs.

I understand the desire to outlaw all-0 keys, but why would you outlaw
all-1 keys?  (or did you just mean all-0?)


More information about the Gnupg-devel mailing list