[pkg-gnupg-maint] Bug#659905: Bug#659905: Short key collisions

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Sep 9 16:06:38 UTC 2017


On Sat 2017-09-09 17:02:31 +0200, Elena ``of Valhalla'' wrote:
> This ticket has remained open for a few years; nowadays short-ids are
> getting more and more deprecated, with the interfaces moving forwards
> towards using long-ids and full fingerprint.
>
> Could the bug be closed as no longer really relevant in the way gnupg
> should be currently used?

I confess i don't even see what the original bug report is complaining
about.  The user asks for all keys that have the given short key IDs
and, sure enough, they get a bunch of certificates that contain those
short key IDs in them.  :/

today, those two short key IDs result in 5 certs being retrieved (because
of evil32, i think) instead of the original 3.

>> I find strange that when I ask for a key what is returned is actually a
>> *master* key as well as all the possible *subkeys*.  This obviously
>> means that the possibility of a collision is bigger.
>
> Personally I find it convienent to be able to download a key by giving
> the id of a subkey as that is what is displayed e.g. by mutt when an
> email is signed by an unavailable key.

Yup, agreed.  I'm closing this bug because i think GnuPG is doing what
the user asked it to do.  If the user wants a specific key, they should
use a more specific key ID (at least long key ID, preferably full
fingerprint).

Thanks for triaging this bug, Elena!

If anyone disagrees with this conclusion, feel free to reopen the bug
report and explain the problem more clearly so we know what you think
the right behavior should be in this situation.

thanks,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170909/9e17eb28/attachment.sig>


More information about the pkg-gnupg-maint mailing list