Collision attack against long Key Ids

[John Z.]

It helps a lot! Thank you for the time and effort put to write it all
up - its not far away from what I presumed might be happening, but of
course with far more detailed explanation.
I find it even more interesting how you precisely analyzed what I just
disliked about that 'HN style'.

I mean, there were heated online opinion exchanges ever since there was
internet, and they persist, but I don't recall so much 'activism' combined
with these opinion exchanges, except only in past decade and a half.

It concerns me to think what's going to happen and how will things evolve
once all the people who were involved with GNU (or Linux) from beginning,
or are the 'second generation' (like myself) - are gone, and there's no
one left who has curiosity, or can even understand, let alone write and
maintain such high-complexity code.
Especially when you add LLM into the mix.

I wish I had something more substantial or profound to add.


-- 
John Z.
"All my thoughts are burning,
 and I like how warm the fire can be..."


On Sat, Mar 14, 2026 at 02:33:06PM -0400, Robert J. Hansen via Gnupg-users wrote:
> > If its an OK, albeit simplistic question to ask - is there a reason
> > for this?
> 
> There are many reasons.
> 
> My personal bête noire is there are a lot of people who derive their social
> status from the unholy union of (a) being a geek and (b) making people
> afraid. When you can make people afraid you can lead them into looking to
> you to tell them what to do. Making people afraid is usually a power play of
> some kind and it reminds me of high school. What pushes me over the edge
> into being a genuinely unpleasant person is when (c) they make people afraid
> about something the person is unable to find out for themselves. When
> Chicken Little told everyone the sky was falling, at least Chicken Little
> had the common decency to lie about something people could disprove just by
> looking up.
> 
> There are a lot of (a) nerdy people (b) making people scared about (c)
> near-future events they have to take on faith.
> 
> I don't see much difference between Sam Altman telling people "in eighteen
> months half of your jobs will be gone!" and somebody hiding behind a
> pseudonym saying "ackshually the new NSA listening center in Utah is going
> to be able to crack PGP because...". Either way it's the same spiel. These
> people make me very angry.
> 
> =====
> 
> Then there are the people who deal in half-truth criticisms. For instance, a
> lot of people say that Open/LibrePGP don't offer forward secrecy, and "all
> modern designs offer perfect forward secrecy."
> 
> Rubbish. PGP offered perfect forward secrecy in 1991. It was one of the
> first systems with perfect forward secrecy. It's so old it predates the term
> perfect forward secrecy.
> 
> What perfect forward secrecy means is "the compromise of a key does not
> allow an attacker to read messages sent after the compromise." Well,
> Open/LibrePGP uses random per-session cryptographic keys. Compromising the
> key used for a specific message doesn't help you compromise any other
> message, in the past or in the future. Open/LibrePGP is, in that sense,
> providing perfect forward secrecy.
> 
> At the same time, it's also plainly obvious that Open/LibrePGP uses
> long-term keys as well (your asymmetric keypair). And there, sure, there are
> criticisms that can be made from a PFS standpoint. Those are valid and worth
> listening to.
> 
> But for every person who gives a nuanced and complete understanding of PFS
> in Libre/OpenPGP, there are a dozen who are just repeating "no perfect
> forward secrecy guarantees!" without ever talking about the subject in a
> realistic way.
> 
> =====
> 
> Then there are academics who make highly academic criticisms, that although
> are offered in good faith often show a lack of consideration of real-world
> constraints on what we can do, or a lack of understanding of what the real
> problems are.
> 
> For instance, from RFC2440 to the final draft of RFC4880, OpenPGP specified
> 3DES as a permissible algorithm. 3DES was designed in the 1970s and is by
> modern standards unbearably ugly. It has all the aesthetic qualities of
> Soviet New Realism art, all the elegance of a North Korean workers' housing
> bloc. When the movie _Tropic Thunder_ played in theaters, when Robert Downey
> Jr.'s character exclaimed "Behold, God's mistake!", every cryptographer in
> the audience perked up thinking 3DES was about to make its Hollywood
> appearance.
> 
> But you'll notice I never said 3DES was weak. After fifty years (!!) of
> cryptanalytical research nobody knows of any practical attacks on 3DES when
> used in the standard OpenPGP use case. It's kind of impressive that way. (If
> you're using it for more than a few hundred megs of data in a single message
> you're doing it wrong, but how many of us actually do that?)
> 
> Given all this, for many years we were slow to remove 3DES from the
> Open/LibrePGP cipher suites. It was on the TODO. It wasn't terribly high
> priority. And our attitude on this caused a lot of academics to say "they
> still require every client support 3DES; my God, what backwards heathens."
> 
> =====
> 
> Some very serious people have made very serious criticisms of OpenPGP over
> the years. Matthew Green at Johns Hopkins, for starters, was really not a
> fan. See, for instance, this essay:
> 
> https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
> 
> His criticisms in 2014 were pretty sharp and for the most part fair.
> Libre/OpenPGP took notice and have since taken steps to mitigate a lot of
> those concerns. (He's probably still not a fan, however.)
> 
> But for every solid, well-thought-out, and occasionally devastating critique
> on Open/LibrePGP there are easily a dozen ones that vary from disingenuous
> to confused to genuinely dishonest and manipulative.
> 
> Anyway. Hope this helps. :)
> 



> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users