"Povl H. Pedersen" <popeat_private> writes: > This was the first time he verified it. > > The signature has Key ID: 0x6F620B65 > > So he had to look up the key using the keyservers, and surprisingly > enough, the server did NOT return the name of the sender, but of a > person called "Mike Evans". Several answers in this thread have addressed quite a few problems regarding faked user IDs and key IDs. This kind of attack is a significant threat only if you rely on this information to establish the validity of a public key, but of course, this approach is fundamentally flawed. The problem that Povl observed was likely quite different. According to my own attempts, NAI's server simply returned the wrong key, which didn't share any obvious characteristics with the one which was requested (both key ID and user ID were different). Currently, I'm unable to reproduce the server behavior, though. BTW: If you want to hide the name of your communication partners, it's not very wise to reveal their PGP key ID, especially if it's registered at public key servers. -- Florian Weimer Florian.Weimerat_private-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS Security Team +49-711-685-5973/fax +49-711-685-5898 http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:40 PDT