duplicate keyid survey results

disastry@saiknes.lv.NO.SPaM.NET disastry@saiknes.lv.NO.SPaM.NET
Mon Mar 4 09:13:02 2002

Hash: RIPEMD160

Len Sassaman rabbi@quickie.net wrote:
> The thing that comes to mind immediately for me is that you should allow
> for a 64-bit key-ID search.

I think all (most?) keyservers allows this.
some even allows search by fingerprint.

> When 32-bit key ID collisions occur, you may want your key server to
> display a warning in the user-interface.
> Remember that 32-bit collisions could be accidental,

exactly. there are about 1600000 keys on server ( http://www.dtype.org/keyanalyze/ )
it's more than enough for birthday paradox.
81 keys with duplicate keyid are normal, some of them are DEADBEAFed of course.

> so not reporting them
> would prevent the distribution of legitimate keys. (And you mention the
> possibility of an intential DOS.)
> I personally think that public key servers should do little more than
> accept, store, and report data that it contains.

IMO, keyserver SHOULD NOT accept keys/userid that are not selfsigned.

> Preventing the display of
> keys with duplicate IDs steps over that line a bit too much for me.
> --Len.
> On Mon, 4 Mar 2002, Hironobu SUZUKI wrote:
> > > A current list of duplicate PGP keyids can be found on my website:

Disastry  http://disastry.dhs.org/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
 ^----PGP 2.6.3ia-multi05 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
      AES, 3DES ciphers and MD5, SHA1, RIPEMD160, SHA2 hashes)
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1