getting an encrypted file to show what public key was used

Robert J. Hansen rjh at
Tue May 29 18:24:53 CEST 2012

On 5/29/12 11:16 AM, Tanguy Herrmann wrote:
> This is a flaw in the OpenPGP protocol (If I remember right).

The protocol is fine, but it seems that the people involved did not
properly validate certificates.  (Note that I'm not certain about this,
hence my "seems".  Maybe I should qualify it as "seems likely.")

> And the flaw make that OpenPGP verify only that short Key
> ID instead of the full fingerprint, and that leads to collision of Key
> ID even if the keys are differents ...

Certificate validation uses the full fingerprint.

> The easier solution for you would be to create a new key

I apologize for sounding strident here, but that advice is both
malinformed and wrong.

It's malinformed because when something fails, we should learn why it
failed and develop processes to prevent the failure in the future.
Saying "well, just have a do-over" is not consistent with the best
practices of software engineering.

It's wrong because it's the other person whose certificate has a
collision.  He can create all the new certificates he wants but it won't
change a thing.  He may also not be able to persuade the other person to
generate a new certificate: they may have already invested a lot in
their current certificate, and may not want to switch.

More information about the Gnupg-users mailing list