On Feb 15, 2011, at 11:35 PM, Daniel Kahn Gillmor wrote: > On 02/15/2011 09:22 PM, lists.gn...@mephisto.fastmail.net wrote: >> If you have your public key published somewhere, such as on a key >> server, the Key ID is a way for other people to unambiguously look up >> the full key. > > You're quite correct that the key ID provides a handle that references > the actual public key, and is not the public key itself. > > However, the key ID is not guaranteed to be unique. In fact, short key > IDs (of the form 0xDEADBEEF) are trivial to find collisions for -- there > just aren't enough of them, so the search space is small enough to > exhaust with very commonplace hardware.
Here's a fun example: https://webtru.st/pks/lookup?search=0x001FA1AD&op=vindex Compare his last name to his key ID :) Way back when, there was actually a tool ("Abattoir") that you could give a chosen (short) key ID to and it would just generate keys over and over until it hit it. Given the improvements in CPU speed since then, this should be even easier now. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
