On May 29, 2012, at 3:34 PM, Daniel Kahn Gillmor wrote: > On 05/29/2012 02:18 PM, David Shaw wrote: >> The reason I bring it up is that using the v3 key attack, 64-bit key IDs >> have no particular benefit over 32-bit IDs for intentional collisions (i.e. >> an attacker generating a key with the same key ID as the victim in order to >> confuse matters and/or steal traffic). It's just as easy to forge 64 bits >> as it is to forge 32… > > Right, which is why gpg should default to not processing/accepting v3 > keys either, frankly. The window for v3 being deprecated started long > ago. If we expect people to rely on gpg for any sort of key management, > it ought to have reasonably safe and sane defaults.
While I don't think the world is ready for a change in default visibility from 32 to 64 bit key IDs, I am in favor of this by default. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
