Re: Key collisions in the wild
On Wed, 2016-08-10 at 12:19 +0200, Jakub Wilk wrote:
> * Samuel Thibault <firstname.lastname@example.org>, 2016-08-10, 01:17:
> > Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote:
> > >
> > > € gpg --search-key email@example.com
> > > ...
> > > (1) Samuel Thibault <firstname.lastname@example.org>
> > > 4096 bit RSA key 7D069EE6, created: 2014-06-16
> > And it has 55 signatures from 55 colliding keys...
> The forger botched it up, because all its signatures have almost the
> same creation time. You can tell it's a sham key from quite a long
> way away.
A tool which could scan pubrung.gpg (and friends) and warn about the
presence of such bad keys, perhaps based on an explicit blacklist of
the evil32 keys rather than heuristics about the creation times, would
be useful as a periodic hygiene check on my ~/.gnupg. Does such a thing
exist? Is it even possible?
 thinking along the lines of openssl-vulnkeys or openssl-vulnkey.