Post Syndicated from n8willis original http://lwn.net/Articles/689792/rss
At his blog, Gunnar Wolf urges developers to stop using
“short” (eight hex-digit) PGP key IDs as soon as possible. The
impetus for the advice originates with Debian’s Enrico Zini, who recently
found two keys sharing the same short ID in the wild. The
possibility of short-ID collisions has been known for a while, but it
is still disconcerting to see in the wild. “Those three keys
are not (yet?) uploaded to the keyservers, though… But we can expect
them to appear at any point in the future. We don’t know who is behind
this, or what his purpose is. We just know this looks very
evil.”
Wolf goes on to note that short IDs are not merely human-readable
conveniences, but are actually used to identify PGP keys in some
software programs. To mitigate the risk, he recommends configuring
GnuPG to never shows short IDs, to ensure that other programs do not
consume short IDs, and to “only sign somebody else’s key if you
see and verify its full fingerprint. […] And there are surely many other important recommendations. But this is a good set of points to start with.”