Vanity Keys

David Shaw dshaw at
Wed Jan 14 04:42:41 CET 2015

On Jan 13, 2015, at 10:11 PM, Sandeep Murthy <s.murthy at> wrote:
> Hi
>> Only the right key will actually work for verification, but the program may not be able to find that right key.
> Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex digits)
> causing problems for the GPG program only be an issue in an organisational setting,
> where there is a large number of users sharing that program and where keys
> are uploaded to/retrieved from key servers using short IDs?
> For an individual who for example only imports keys with fingerprints (160 bits /  40 hex) and
> publishes their fingerprint rather than the short or long key ID, how can this risk arise
> or is there still an issue with key servers?

Unfortunately, it doesn't matter if users only use fingerprints when deciding to import a key or not.  Internally, keys are looked up using the 64-bit key ID.  This is a limitation of OpenPGP - the "issuer" of a signature is 64 bits long.  If the user manages to get two keys that happen to have the same 64-bit key ID (the lowest 64 bits of the fingerprint, for OpenPGP keys) then this problem applies to them.

The discussion on gnupg-devel is about adding a larger issuer that contains the complete fingerprint.


More information about the Gnupg-users mailing list