Re: Number of developers, keyring map

To: Craig Brozefsky <craig@red-bean.com>
Cc: Wichert Akkerman <wichert@cs.leidenuniv.nl>, Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Number of developers, keyring map
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Sun, 30 May 1999 21:39:47 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.3.96.990530212343.24635v-100000@Wakko.deltatee.com>
In-reply-to: <[🔎] 87k8tpw6wy.fsf@piracy.red-bean.com>

On 31 May 1999, Craig Brozefsky wrote:

> Actually, you would not need to break MD5.  There are various ways of
> generating identical MD5 checksums, provided that things like key
> size, or the keyid are not known.

Hmm, this is rather disturbing, be basically says that you can spoof both
the key fingerprint and the keyID to produce an identical ID
information from different keys. Sounds like I should be using a triplet
composed of the keyid, fingerprint and keylength ?

We are not directly vunerable to this as our key list is protected, GPG
will not be able to verifiy a spoofed key against it, but I can envision
some way where a key could be accidently inserted into the ring through
spoofing.. 

Jason

Reply to:

Follow-Ups:
- Re: Number of developers, keyring map
  - From: Wichert Akkerman <wichert@cs.leidenuniv.nl>
- Re: Number of developers, keyring map
  - From: md@linux.it (Marco d'Itri)

References:
- Re: Number of developers, keyring map
  - From: Craig Brozefsky <craig@red-bean.com>

Prev by Date: Re: New db.debian.org address
Next by Date: Re: New db.debian.org address
Previous by thread: Re: Number of developers, keyring map
Next by thread: Re: Number of developers, keyring map
Index(es):
- Date
- Thread