[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: So I received a gpg-signed email, can I trust it?

On Fri, Jul 08, 2016 at 02:33:54PM +0200, Simon Richter wrote:

> > given that it is now possible to generate arbitrary short key ID
> > collisions[1], and that it's now computationally feasible to at least
> > generate a pair of keys with colliding long key IDs, I'd like to rethink
> > practices and tools.
> With the web of trust, in principle there shouldn't be a problem.
> I have a valid trust path to Piotr's correct key. I don' have any to the
> fake key, because no one I trust has signed a key from the evil32 set.

What if you received a message signed with key 9F6C6333?

That is, what do you do (please list the practical steps) to validate a
signature that is a few steps away from your key in the WoT?


GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: PGP signature

Reply to: