[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: So I received a gpg-signed email, can I trust it?

Hi Enrico,

On 08.07.2016 11:21, Enrico Zini wrote:

> given that it is now possible to generate arbitrary short key ID
> collisions[1], and that it's now computationally feasible to at least
> generate a pair of keys with colliding long key IDs, I'd like to rethink
> practices and tools.

With the web of trust, in principle there shouldn't be a problem.

I have a valid trust path to Piotr's correct key. I don' have any to the
fake key, because no one I trust has signed a key from the evil32 set.

What could be improved would be detection of new signatures under fake
keys. I've filed Debian bug #830479 about a possible solution.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: