duplicate keyid survey results

Len Sassaman rabbi@quickie.net
Mon Mar 4 03:12:01 2002


The thing that comes to mind immediately for me is that you should allow
for a 64-bit key-ID search.

When 32-bit key ID collisions occur, you may want your key server to
display a warning in the user-interface.

Remember that 32-bit collisions could be accidental, so not reporting them
would prevent the distribution of legitimate keys. (And you mention the
possibility of an intential DOS.)

I personally think that public key servers should do little more than
accept, store, and report data that it contains. Preventing the display of
keys with duplicate IDs steps over that line a bit too much for me.

--Len.

On Mon, 4 Mar 2002, Hironobu SUZUKI wrote:

>
> Good job!!
>
> > A current list of duplicate PGP keyids can be found on my website:
>
> I found same problem when I did some test of "search" function of my
> key server, (See http://openpksd.org).  My program never return
> duplicate keyid because I'm afraid of the fraud key. I know that this
> specificity has a potential of Denial of Service attack.
>
> Please give me some idea what keyserver should behave about it.
>
> --
> Hironobu SUZUKI        Independent Software Consultant
> E-Mail: hironobu@h2np.net
> URL: http://h2np.net
>
>

--Len.