Key strangeness

David Shaw dshaw at jabberwocky.com
Sun Feb 8 10:46:58 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Feb 08, 2004 at 03:21:22PM +0000, Nick Boalch wrote:
> David Shaw wrote:
> 
> | All in all, I'm guessing corruption of the key, which can pretty
> | easily change the keyid to something else.  It could be a bug in
> | CryptoEx, but I'd think a bug that changes keyids would have been
> | noticed before now.  What does your correspondent say his keyid is?
> 
> I don't think it's a keyserver bug, as the same problem occurs if the key is
> exported directly from the software and emailed to me.
> 
> As far as he's aware, his keyid is 3A546EC2. Certainly messages he sends out
> are signed on 3A546EC2; but importing the key exported by his software and
> available on keyservers as 3A546EC2 actually gets you 7EDB7A47, so the
> signature is unverifiable.

A bug in his software (CryptoEx) would explain nearly everything
here.  Since CryptoEx naturally would be compatible with itself, it
would see the keyid as 3A546EC2.  It would fill in 3A546EC2 as the
issuer of signatures, and it would be able to verify its own
signatures so the key would be valid.

That theory doesn't explain why the keyservers indexed the key as
3A546EC2 though.  GnuPG, PGP 6 and 8, and my local copy of pksd all
agree the keyid is 7EDB7A47.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.5-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iHEEARECADEFAkAmWfIqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJKqkAn2coVg3RLF7KX4D03X4RHBwScFs6AKCM
K9WOp9uAukXuGutZ8dazPQAD7w==
=T/ta
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list