--lc9FT7cWel8HagAv Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable * Povl H. Pedersen (popeat_private) [000308 10:29]: > [...] > Adding Mike Evans' public key to the keyring still results in the > signature verification being OK, but the username is listed as > unknown. > [...] > The problem is, that the PGP servers expects all key IDs to be unique > numbers, and does not expect 2 users to have the same keyID. And with > the current amount of users, we are starting to get multiple users > with the same keyID. > [...] Hmmmm. If this were true, this means that the public keys and not just=20 the key ids are the same (the key id is derived from the key, so if the keys are the same, the key id must be the same, too). Therefore, this has nothing to do with the key servers, but with the creation and=20 assignment of keys. Today, the key is generated using a strong random number algorithm and there is no way to check whether some key has already been created by another user. In fact, it's totally impossible=20 to avoid this kind of collusion. The only thing one could try is to detect such double spending of keys and make the users generate new keys if this happens. However, the chances that two people generate the same 1024 bit random number (less than 1024 bit are to be considered insecure) are so low, that this should be considered unnecessary.=20 Now, that there seems to be the case that two people generated the same public key, one has to think about the quality of the used random=20 number generator. There is the chance, that the seed that is used to initialize this generator is predictable. This, however, would be an implementation flaw of _some_ versions of PGP, and no real problem of the standard.=20 I'd like to know who the two people with the same keys are and what versions of PGP they used to generate the keys. Of course, both guys should revoke their keys immediately.=20 Ciao, Tobias --=20 Dipl. Inform. Tobias Haustein Department of Computer Science IV, Aachen University of Technology Ahornstr. 55, D-52056 Aachen Phone +49 (241) 80-21417, Fax +49 (241) 8888-220 E-Mail hausteinat_private-aachen.de Web http://www-i4.informatik.rwth-aachen.de/~haustein/ --lc9FT7cWel8HagAv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: AHLQTs+SW3t/+otm+VyWGwy4jieBJ410 iQEVAwUBOMYiFhs02tO3FOYBAQG+wAf/Ya+M506jDOkDWpCjQ1ywsXcWigjzTRoC eBwn9Vnv9MVihpehx1It9kJA5GhuOTuOROfIEsih98Uo9Obtvaw3HHpgddpLmovp uU3Oz79Ndnw/MkE9H9Wu/u5a46J2NR/xaI9jlLlgtTB1EQcDBi1/EeqA+vBaoXGl 4G7PT3QWmZHDjQto7uOEbGJ/Rqwg7e0bIAZ6x1e+5vdWtl/7AmVqtujGXs3qbUmZ z8wxQEpxeEUR3nBqDix2ugzGH2Xv5ExOyaq4oTicIr6lQPQxhlpyq+4e4FfTMm+v r9I7Tw383nDOYS8PinKtROpmnWTvSKy4wPs+1MQ6SC1rr/DkCmI7hw== =DkK0 -----END PGP SIGNATURE----- --lc9FT7cWel8HagAv--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:13 PDT