It's 2014. Are we there yet?

One Jsim one.jsim at gmail.com
Sat Apr 19 16:35:39 CEST 2014


from:

http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-keys.html#key-public-key-forgery

at 2014-04-19T14:49+1

I retrieve

"Yes, it is possible to create a public key with the same fingerprint as an
existing one, thanks to a design misfeature in PGP 2.x when signing RSA
keys. The fake key will not be of the same length, so it should be easy to
detect. Usually such keys have odd key lengths"

How percentage of PGP (or GPG?)  users, do you think, know that checking
fingerprint only is not an assurance against fake signatures? Did you know?

Jose Simoes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140419/50a9cdce/attachment.html>


More information about the Gnupg-users mailing list