Re: Check for revocation certificates before running apt-get?

[Kurt Roeckx <kurt@roeckx.be>]

On Sun, Dec 15, 2013 at 03:15:03AM +0000, adrelanos wrote:
> > When you implement this, please ensure it isn't vulnerable to any
> > duplicate-keyid problems:
> > 
> > http://debian-administration.org/users/dkg/weblog/105
> 
> Damn, I wasn't aware of the latest news that long key ids are now also
> insecure. Thank you for educating me.

I think this really shouldn't suprise someone, and I think
we've really been saying this for like 10 years.  Please note
that the "long key" is the last 64 bit of the fingerprint,
not the whole 160 bit of the SHA-1.

But SHA-1 is known to only have about a 2^60 collision resistance,
and that's not even considered secure anymore for some time now
and we really should move to SHA-2 for the fingerprint.  But it
seems that for some reason they are delaying starting with
openpgp v5 until we have SHA-3.


Kurt