duplicate keyid survey results
Mon Mar 4 09:13:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Len Sassaman firstname.lastname@example.org wrote:
> The thing that comes to mind immediately for me is that you should allow
> for a 64-bit key-ID search.
I think all (most?) keyservers allows this.
some even allows search by fingerprint.
> When 32-bit key ID collisions occur, you may want your key server to
> display a warning in the user-interface.
> Remember that 32-bit collisions could be accidental,
exactly. there are about 1600000 keys on server ( http://www.dtype.org/keyanalyze/ )
it's more than enough for birthday paradox.
81 keys with duplicate keyid are normal, some of them are DEADBEAFed of course.
> so not reporting them
> would prevent the distribution of legitimate keys. (And you mention the
> possibility of an intential DOS.)
> I personally think that public key servers should do little more than
> accept, store, and report data that it contains.
IMO, keyserver SHOULD NOT accept keys/userid that are not selfsigned.
> Preventing the display of
> keys with duplicate IDs steps over that line a bit too much for me.
> On Mon, 4 Mar 2002, Hironobu SUZUKI wrote:
> > > A current list of duplicate PGP keyids can be found on my website:
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
^----PGP 2.6.3ia-multi05 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
AES, 3DES ciphers and MD5, SHA1, RIPEMD160, SHA2 hashes)
-----BEGIN PGP SIGNATURE-----
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
-----END PGP SIGNATURE-----