duplicate keyid survey results

Hironobu SUZUKI hironobu@h2np.net
Sat Mar 9 07:42:01 2002

> It is easy to make even a duplicate 64-bit keyid. 

 Step 0: If you use 32bit keyid, move Step 1. If 64bit keyid, move 
	 Step 2.

 Step 1: If you try to get a key by 32bit keyid but found duplicate keys,
	 move Step 2 or Step 3 which you wish.

 Step 2: If you try to get a key by 64bit keyid but found duplicate
         keys, move Step 3 or Step 4 which you wish.

         If 32bit duplicate keyid was generated by accidentally, 
	 64bit keyid searching will help most of them. 

 Step 3: Use Web interface and check a list of keyids combined
         fingerprints. Select one key and database will return actual
         key (using database OID). Users must be patients. So, some
         people like me move to Step 4.

 Step 4: Ask an actual public key for the key owner or get an public
         key from owner's web page.

> then that is a (mild) denial of service as well.

Yes, I know it. Please remember that the concept of "Web of Trust"
doesn't need any keyserver nor certificate authority. "No keyserver"
is default.

Hironobu SUZUKI
E-Mail: hironobu@h2np.net
URL: http://h2np.net