[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] 32-bit (short ID) collisions: New milestone(?) reached
From: |
Kristian Fiskerstrand |
Subject: |
Re: [Sks-devel] 32-bit (short ID) collisions: New milestone(?) reached |
Date: |
Sat, 4 Jun 2016 22:44:41 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 |
On 06/04/2016 12:43 AM, Gunnar Wolf wrote:
> There are several tools relying on this (now very) weak 32-bit scheme;
> the first such tool we found was precisely the «PGP pathfinder & key
> statistics» service, which fails badly: Even specifying the full
> fingerprints, I do get three (absolutely fake!) trust path into the
> impostor:
I'd like to take a bit of time to comment on this. The web of trust in
the abstract is all nice, but ultimately services such as the pathfinder
is only a tool to guide in how you can find a direct path. It is not a
replacement for actually properly configuring the trustdb and doing
(local) signatures of external keys that are to be used in the validity
calculation. So I fail to see an issue in this case, really, a simple
tool can be fooled, but the underlying model is sound.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"We can only see a short distance ahead, but we can see plenty there
that needs to be done."
(Alan Turing)
signature.asc
Description: OpenPGP digital signature