Signature key length limitations

Len Sassaman rabbi@quickie.net
Wed Aug 21 06:30:02 2002


On Tue, 20 Aug 2002, Aaron Lehmann wrote:

> I just walked a friend through the process of creating an RSA key with
> GPG (always use a guinea pig!) and it seems to work fine. However, the
> keyservers think his key has an ID totally different from what GPG
> says it is. Because of this they're also confused by his
> self-signature and think it's a signature from an unknown key. This
> also forces people who what to grab his key from the keyserver to
> request keyid 46E8F0B5 instead of the last 8 hex digits of the
> fingerprint (0B2F2D54). Aaarrgh. But this problem is kind of off-topic
> and belongs on pgp-keyserver-folk....

pgp-keyserver-folk already knows about this problem. You're using a
keyserver that is either running pksd or OpenKeyServer, neither of which
are really very robust or OpenPGP-aware.

You'll have much better luck using a keyserver that is either running NAI
Keyserver 7.0 or CKS. Examples: keyserver.pgp.com, horowitz.surfnet.nl
(over LDAP only!), gnv.us.ks.cryptnet.net.

(In short, the broken keyserver software sees that the key you sent it is
RSA, and calculates the keyid as though it were a v3 keyid. It goes
downhill from there.)

--Len.