On 2017/05/16 14:47, Janne Inkilä wrote: > Did someone really generated same looking key? And why? Any ideas?
Yes, they did. Most of the strong set was duplicated by the Evil32 project in order to demonstrate the danger of relying on short key IDs (because on modern hardware it takes mere seconds to generate a fake key with the same short ID). Unfortunately the fake keys got uploaded to an SKS server and polluted the database. The authors then mass-revoked all the offending keys, but since SKS is append-only they still appear in search results. https://evil32.com/ The fact that invalid (even suspicious) keys exist on the SKS servers (or anywhere on the internet for that matter) is in itself not a problem - any decent public-key infrastructure must be designed under the assumption that forgeries are inevitable and use some other method (signatures, out of band verification) to determine the validity of keys. The moral of the story is: don't believe everything you see on the internet. ;-) Andrew.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
