Re: [Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!

From:	Thomas Huth
Subject:	Re: [Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!
Date:	Wed, 17 Aug 2016 17:53:08 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2

On 10.06.2016 16:46, Peter Maydell wrote:
> We've noticed recently that the GPG keyservers have fake keys for
> some of the QEMU maintainers, which have keys which have been
> deliberately constructed to have collisions on the 32-bit "short ID"
> field which gpg shows you by default.
> 
> (Example:
> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x14360CDE
> shows both my actual key and a fake.)
> 
> It's been known for years that it's pretty easy to construct a
> key with whatever 32-bit short ID you like:
>  http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
>  https://evil32.com/

FWIW, seems like the fake keys have finally been revoked on the key
servers (got the news from
http://www.heise.de/newsticker/meldung/Haufenweise-Fake-PGP-Schluessel-im-Umlauf-3297175.html).

 Thomas

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!, Thomas Huth <=

Prev by Date: Re: [Qemu-devel] [PATCH v4 12/17] qapi: check invalid arguments on no-args commands
Next by Date: Re: [Qemu-devel] [RFC v5 5/7] hw/intc/arm_gicv3_its: Implement support for in-kernel ITS emulation
Previous by thread: [Qemu-devel] [PATCH 0/6] Convert msix_init() to error
Next by thread: [Qemu-devel] [PATCH v5 00/20] qapi: remove the 'middle' mode
Index(es):
- Date
- Thread