On Wed, 2016-08-10 at 12:19 +0200, Jakub Wilk wrote: > * Samuel Thibault <sthiba...@debian.org>, 2016-08-10, 01:17: > > > > Samuel Thibault, on Wed 10 Aug 2016 00:47:43 +0200, wrote: > > > > > > € gpg --search-key samuel.thiba...@gnu.org > > > ... > > > (1) Samuel Thibault <samuel.thiba...@gnu.org> > > > 4096 bit RSA key 7D069EE6, created: 2014-06-16 > > > > And it has 55 signatures from 55 colliding keys... > > The forger botched it up, because all its signatures have almost the > same creation time. You can tell it's a sham key from quite a long > way away.
A tool[0] which could scan pubrung.gpg (and friends) and warn about the presence of such bad keys, perhaps based on an explicit blacklist of the evil32 keys rather than heuristics about the creation times, would be useful as a periodic hygiene check on my ~/.gnupg. Does such a thing exist? Is it even possible? Ian. [0] thinking along the lines of openssl-vulnkeys or openssl-vulnkey.
