Hi Enrico, On 08.07.2016 11:21, Enrico Zini wrote: > given that it is now possible to generate arbitrary short key ID > collisions[1], and that it's now computationally feasible to at least > generate a pair of keys with colliding long key IDs, I'd like to rethink > practices and tools. With the web of trust, in principle there shouldn't be a problem. I have a valid trust path to Piotr's correct key. I don' have any to the fake key, because no one I trust has signed a key from the evil32 set. What could be improved would be detection of new signatures under fake keys. I've filed Debian bug #830479 about a possible solution. Simon
Attachment:
signature.asc
Description: OpenPGP digital signature