[14227] in bugtraq
Re: PGP Signatures security BUG!
daemon@ATHENA.MIT.EDU (Werner Koch)
Thu Mar 9 05:40:43 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000308113241.Y27044@djebel.gnupg.de>
Date: Wed, 8 Mar 2000 11:32:41 +0100
Reply-To: Werner Koch <wk@GNUPG.ORG>
From: Werner Koch <wk@GNUPG.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <p04310108b4eabe46523c@[130.227.158.132]>; from pope@NETGUIDE.DK
on Tue, Mar 07, 2000 at 03:29:00PM +0100
On Tue, 7 Mar 2000, Povl H. Pedersen wrote:
> The problem is, that the PGP servers expects all key IDs to be unique
> numbers, and does not expect 2 users to have the same keyID. And with
> the current amount of users, we are starting to get multiple users
> with the same keyID.
RFC2440 clearly states that a conforming implementation MUST not assume
that key IDs are unique. However, NAI does not claim that their PGP
is OpenPGP compatible.
There will be a keyserver admin meeting in May where we are going to
discuss all these topics.
BTW, faking the short key ID (the one that is normally displayed -
internally 64 bits are used) is possible on a standard box within some
hours.
Werner
