dshaw at jabberwocky.com
Wed Jan 14 04:42:41 CET 2015
On Jan 13, 2015, at 10:11 PM, Sandeep Murthy <s.murthy at mykolab.com> wrote:
>> Only the right key will actually work for verification, but the program may not be able to find that right key.
> Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex digits)
> causing problems for the GPG program only be an issue in an organisational setting,
> where there is a large number of users sharing that program and where keys
> are uploaded to/retrieved from key servers using short IDs?
> For an individual who for example only imports keys with fingerprints (160 bits / 40 hex) and
> publishes their fingerprint rather than the short or long key ID, how can this risk arise
> or is there still an issue with key servers?
Unfortunately, it doesn't matter if users only use fingerprints when deciding to import a key or not. Internally, keys are looked up using the 64-bit key ID. This is a limitation of OpenPGP - the "issuer" of a signature is 64 bits long. If the user manages to get two keys that happen to have the same 64-bit key ID (the lowest 64 bits of the fingerprint, for OpenPGP keys) then this problem applies to them.
The discussion on gnupg-devel is about adding a larger issuer that contains the complete fingerprint.
More information about the Gnupg-users