Wolf: Stop it with those short PGP key IDs!

by
n8willis
from LWN.net on (#1G291)

At his blog, Gunnar Wolf urges developers to stop using"short" (eight hex-digit) PGP key IDs as soon as possible. Theimpetus for the advice originates with Debian's Enrico Zini, who recentlyfound two keys sharing the same short ID in the wild. Thepossibility of short-ID collisions has been known for a while, but itis still disconcerting to see in the wild. "Those three keysare not (yet?) uploaded to the keyservers, though... But we can expectthem to appear at any point in the future. We don't know who is behindthis, or what his purpose is. We just know this looks veryevil."

Wolf goes on to note that short IDs are not merely human-readableconveniences, but are actually used to identify PGP keys in somesoftware programs. To mitigate the risk, he recommends configuringGnuPG to never shows short IDs, to ensure that other programs do notconsume short IDs, and to "only sign somebody else's key if yousee and verify its full fingerprint. [...] And there are surely many other important recommendations. But this is a good set of points to start with."

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments