duplicate keyid survey results

V Alex Brennen vab@cryptnet.net
Mon Mar 11 00:57:02 2002

On Mon, 11 Mar 2002, Hironobu SUZUKI wrote:

> On Sun, 10 Mar 2002, V. Alex Brennen wrote:
> > I don't believe this is true.  While the potential to create 32 bit
> > key id collisions easily exists in v3, it is a hard problem in v4
> Yes. But v3 must be supported.

In functionality, yes.  But in security... well...  IMHO, it's ok to
just throw v3 people to the wolves - they know what they're using 
is not secure, that it is attackable, in many different ways.  The
fixes for the insecurities in v3 are what became part of v4.

People really need to upgrade and stop using anything earlier than
v4.  Trying to secure v3 is like trying to secure Windows 98 as an
internet server.

LDAP has a max results modifier on queries, I encourage people 
to code something similar into keyservers to protect against 
server side DOS's rather than return a warning or partial

	- VAB
V. Alex Brennen
Senior Systems Engineer
IBM Certified Specialist
IBM Business Partner
Bus: 352.246.8553
Fax: 770.216.1877