On Jan 13, 2015, at 10:11 PM, Sandeep Murthy <s.mur...@mykolab.com> wrote: > > Hi > >> Only the right key will actually work for verification, but the program may >> not be able to find that right key. > > Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 > hex digits) > causing problems for the GPG program only be an issue in an organisational > setting, > where there is a large number of users sharing that program and where keys > are uploaded to/retrieved from key servers using short IDs? > > For an individual who for example only imports keys with fingerprints (160 > bits / 40 hex) and > publishes their fingerprint rather than the short or long key ID, how can > this risk arise > or is there still an issue with key servers?
Unfortunately, it doesn't matter if users only use fingerprints when deciding to import a key or not. Internally, keys are looked up using the 64-bit key ID. This is a limitation of OpenPGP - the "issuer" of a signature is 64 bits long. If the user manages to get two keys that happen to have the same 64-bit key ID (the lowest 64 bits of the fingerprint, for OpenPGP keys) then this problem applies to them. The discussion on gnupg-devel is about adding a larger issuer that contains the complete fingerprint. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users