Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
Samuel Thibault, on Wed 10 Aug 2016 12:46:07 +0200, wrote:
> Holger Levsen, on Wed 10 Aug 2016 10:26:09 +0000, wrote:
> > I'm somewhat surprised by this mail… or rather by you appearantly
> > knowing about the issue but still you seem to not have acted as advised,
> > so let me repeat: everybody, please put "keyid-format long" into your
> > ~/.gnupg/gpg.conf!
> Well, I did in the end, yes, but I personally have never trusted these
> IDs anyway, and would only trust signature paths.
And actually, moving to 64bit fingerprints by default is possibly not a
good idea: who knows when 64bit will not be secure any more? Estimating
very roughly, if a 32bit collision can be found within a few seconds
with one GPU now as evil32 seems to show, a supercomputer with 10000
GPUs can find a 64bit collision within a month...
Really, only signature paths should be looked at by people, and it seems
like we are tending to let people think 64bit fingerprints are "secure".