[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: So I received a gpg-signed email, can I trust it?

* Simon Richter <sjr@debian.org>, 2016-07-08, 14:33:
given that it is now possible to generate arbitrary short key ID collisions[1], and that it's now computationally feasible to at least generate a pair of keys with colliding long key IDs, I'd like to rethink practices and tools.

With the web of trust, in principle there shouldn't be a problem.

I have a valid trust path to Piotr's correct key. I don' have any to the fake key, because no one I trust has signed a key from the evil32 set

Given that many crypto tools have --feel-free-to-shoot-me-in-the-foot as the default, and some even don't have --do-not-shoot-me-in-the-foot as an option (see #800134), it's only a matter of time before someone slips up.

Or maybe it's already happened? Check out debian-hiding-problems@, er, I mean debian-private@ archives.

Jakub Wilk

Reply to: