dshaw at jabberwocky.com
Tue Nov 29 05:17:54 CET 2005
On Tue, Nov 29, 2005 at 01:24:18AM +0100, Christoph Anton Mitterer wrote:
> Somewhere (unfortunately I've lost the URL) I've read about forging
> fingerprints and/keyIDs (not sure)....
> Meaning that an attacker could create a key (but as far as I remember
> with a different keysize onlz) that has the same fingerprint and/or
> keyID as another key.
> Is that true?
> Are there any information about that issue? How it works, how I can
> secure myself against it, etc.
It was true, but not true any longer. Back in the PGP 2.x days, it
was possible to create a key with (almost) any key ID you liked. See
the various "DEADBEEF" keys on the keyservers for example. Similarly,
it was possible to create a key that had the same fingerprint as a
(also PGP 2.x) victim/target key.
If you have a OpenPGP (v4) key, such as created by GnuPG, then this
basically doesn't apply to you.
More information about the Gnupg-users