On Tue, Nov 29, 2005 at 01:24:18AM +0100, Christoph Anton Mitterer wrote: > Hi. > > Somewhere (unfortunately I've lost the URL) I've read about forging > fingerprints and/keyIDs (not sure).... > Meaning that an attacker could create a key (but as far as I remember > with a different keysize onlz) that has the same fingerprint and/or > keyID as another key. > > Is that true? > Are there any information about that issue? How it works, how I can > secure myself against it, etc.
It was true, but not true any longer. Back in the PGP 2.x days, it was possible to create a key with (almost) any key ID you liked. See the various "DEADBEEF" keys on the keyservers for example. Similarly, it was possible to create a key that had the same fingerprint as a (also PGP 2.x) victim/target key. If you have a OpenPGP (v4) key, such as created by GnuPG, then this basically doesn't apply to you. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
