mailing list archives
Re: PGP Signatures security BUG!
From: wk () GNUPG ORG (Werner Koch)
Date: Wed, 8 Mar 2000 11:32:41 +0100
On Tue, 7 Mar 2000, Povl H. Pedersen wrote:
The problem is, that the PGP servers expects all key IDs to be unique
numbers, and does not expect 2 users to have the same keyID. And with
the current amount of users, we are starting to get multiple users
with the same keyID.
RFC2440 clearly states that a conforming implementation MUST not assume
that key IDs are unique. However, NAI does not claim that their PGP
is OpenPGP compatible.
There will be a keyserver admin meeting in May where we are going to
discuss all these topics.
BTW, faking the short key ID (the one that is normally displayed -
internally 64 bits are used) is possible on a standard box within some