Re: Number of developers, keyring map
On 31 May 1999, Craig Brozefsky wrote:
> Actually, you would not need to break MD5. There are various ways of
> generating identical MD5 checksums, provided that things like key
> size, or the keyid are not known.
Hmm, this is rather disturbing, be basically says that you can spoof both
the key fingerprint and the keyID to produce an identical ID
information from different keys. Sounds like I should be using a triplet
composed of the keyid, fingerprint and keylength ?
We are not directly vunerable to this as our key list is protected, GPG
will not be able to verifiy a spoofed key against it, but I can envision
some way where a key could be accidently inserted into the ring through