On 05/02/16 13:06, Robert J. Hansen wrote: > What's the justification?
If somebody can create a long-keyID-collision, and you download your own key by that key ID and also import the other one, they might be able to be the one that gets "encrypted-to", I think? Another way to get on your keyring is when someone attaches "their" public key to an e-mail and you click import. If I just specify a key ID as encrypt-to in my gpg.conf, I don't get a warning like "It is NOT certain that the key belongs to the person", it just encrypts to a key with unknown validity without giving so much as a peep! So the usual "collisions are not a problem because the key is invalid" doesn't apply. You're stuck with the much weaker "your own key will probably be first in the keyring, so it will use that". I don't feel comfortable with such a weak assurance. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
