[Pkg-gnupg-maint] Bug#725411: gnupg: gpg blindly imports keys from keyserver responses
Florian Weimer
fw at deneb.enyo.de
Sun Aug 24 14:46:17 UTC 2014
* Paul Wise:
> In addition to the user expectations issues Andrew mentions, it isn't
> too hard to imagine attacks that take advantage of colliding key-ids,
> blind key imports by gpg and tools/users that only look at key-ids.
>
> http://www.asheesh.org/note/debian/short-key-ids-are-bad-news
The recommendation to rely on 64 bit key IDs is rather questionable
because V3 keys allow cheap construction of 64-bit key ID duplicates:
<http://www.ietf.org/mail-archive/web/openpgp/current/msg00373.html>
More information about the Pkg-gnupg-maint
mailing list