On Fri, Jul 08, 2016 at 02:33:54PM +0200, Simon Richter wrote: > > given that it is now possible to generate arbitrary short key ID > > collisions[1], and that it's now computationally feasible to at least > > generate a pair of keys with colliding long key IDs, I'd like to rethink > > practices and tools. > > With the web of trust, in principle there shouldn't be a problem. > > I have a valid trust path to Piotr's correct key. I don' have any to the > fake key, because no one I trust has signed a key from the evil32 set. What if you received a message signed with key 9F6C6333? That is, what do you do (please list the practical steps) to validate a signature that is a few steps away from your key in the WoT? Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature