this is not quite the cipherpunk's creed...because there is no such jingoist thing. but still:

"this is my pgp key. there are many like it, but this one is mine. my key is my best friend. without me, my key is useless."

...except that there are assholes out there who spend time on engineering pgp short-id collisions.

so, this is my key, as is this really ancient one and also this work key (ignoring some revoked and expired old keys). my set of keys is of course also available on this very website.

but if you search the keyservers for keys with my email address or by short key id, then you'll find some very clashing crap that does not belong to me at all:

$ gpg --batch --search-keys --keyid-format short B963BD5F
4096 bit RSA key B963BD5F, created: 2014-06-16, expires: 2016-11-02 (revoked) (expired)
4096 bit RSA key B963BD5F, created: 2013-11-03, expires: 2019-07-02

$ gpg --batch --search-keys --keyid-format short 5B586291
1024 bit RSA key 5B586291, created: 2014-06-16 (revoked)
1024 bit RSA key 5B586291, created: 1996-08-03

$ gpg --batch --search-keys --keyid-format short 42BD645D
1024 bit DSA key 42BD645D, created: 1999-06-06, expires: 2015-09-11 (expired)
1024 bit RSA key 42BD645D, created: 2014-06-16, expires: 2015-09-10 (revoked) (expired)

in all three cases the key created on (or with the clock set to) 2014-06-16 is not mine, despite the short form of the key id matching mine. the long ids are different, just as expected.

morale: short key ids are passé, use the long ones and only the long ones.

morale 2: there's always some asshole somewhere who tries to wreck things just to wreck things.

[ published on Sat 05.11.2016 12:34 | filed in interests/crypto | ]
Debian Silver Server
© Alexander Zangerl