On 5/29/12 11:16 AM, Tanguy Herrmann wrote: > This is a flaw in the OpenPGP protocol (If I remember right).
The protocol is fine, but it seems that the people involved did not properly validate certificates. (Note that I'm not certain about this, hence my "seems". Maybe I should qualify it as "seems likely.") > And the flaw make that OpenPGP verify only that short Key > ID instead of the full fingerprint, and that leads to collision of Key > ID even if the keys are differents ... Certificate validation uses the full fingerprint. > The easier solution for you would be to create a new key I apologize for sounding strident here, but that advice is both malinformed and wrong. It's malinformed because when something fails, we should learn why it failed and develop processes to prevent the failure in the future. Saying "well, just have a do-over" is not consistent with the best practices of software engineering. It's wrong because it's the other person whose certificate has a collision. He can create all the new certificates he wants but it won't change a thing. He may also not be able to persuade the other person to generate a new certificate: they may have already invested a lot in their current certificate, and may not want to switch. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users