Re: Key collisions in the wild

To: debian-devel@lists.debian.org
Subject: Re: Key collisions in the wild
From: Ian Campbell <ijc@debian.org>
Date: Wed, 10 Aug 2016 11:27:39 +0100
Message-id: <[🔎] 1470824859.4745.34.camel@debian.org>
In-reply-to: <[🔎] 20160810101940.wphio5s6lhcdwedm@jwilk.net>
References: <[🔎] 20160809224743.GZ6224@var.home> <[🔎] 20160809231704.GF6224@var.home> <[🔎] 20160810101940.wphio5s6lhcdwedm@jwilk.net>

On Wed, 2016-08-10 at 12:19 +0200, Jakub Wilk wrote:
> * Samuel Thibault <sthibault@debian.org>, 2016-08-10, 01:17:
> > 
> > Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote:
> > > 
> > > € gpg --search-key samuel.thibault@gnu.org
> > > ...
> > > (1) Samuel Thibault <samuel.thibault@gnu.org>
> > > 4096 bit RSA key 7D069EE6, created: 2014-06-16
> > 
> > And it has 55 signatures from 55 colliding keys...
> 
> The forger botched it up, because all its signatures have almost the 
> same creation time. You can tell it's a sham key from quite a long
> way away.

A tool[0] which could scan pubrung.gpg (and friends) and warn about the
presence of such bad keys, perhaps based on an explicit blacklist of
the evil32 keys rather than heuristics about the creation times, would
be useful as a periodic hygiene check on my ~/.gnupg. Does such a thing
exist? Is it even possible?

Ian.

[0] thinking along the lines of openssl-vulnkeys or openssl-vulnkey.

Reply to:

References:
- Re: Key collisions in the wild
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Key collisions in the wild
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Key collisions in the wild
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Next by Date: Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Previous by thread: Re: Key collisions in the wild
Next by thread: Re: Key collisions in the wild
Index(es):
- Date
- Thread