Using second keyring may be misleading?
Georgi Guninski
guninski at guninski.com
Fri Jun 22 08:32:27 CEST 2012
On Thu, Jun 21, 2012 at 11:57:47PM -0400, Daniel Kahn Gillmor wrote:
> On 06/15/2012 08:30 AM, Georgi Guninski wrote:
> > This is ubuntu's problem I don't care much about, but they need to
> > verify the keys are signed.
> >
> > The k at k contains a subkey colliding with ubuntu's key 3F272F5B.
>
> colliding at how many trailing bits? what happens if you use
> "--keyid-format long"?
>
> --dkg
>
Sorry but I don't have time to waste on this.
The colliding keyring is in this thread and ubuntu's master key
is available in the distribution and on keyservers.
The attack succeeded (ubuntu used --with-colons).
For me |--keyid-format long| shows complete collision of 64 bits,
same for |--with-colons|, as per design of the collision.
More information about the Gnupg-devel
mailing list