duplicate keyid survey results

Len Sassaman rabbi@quickie.net
Sat Mar 9 04:28:02 2002


On Fri, 8 Mar 2002, David Shaw wrote:


> I'd even like to be able to search by fingerprint.  The way I see it,
> since the 32-bit keyid is just the lowest 32 bits of the fingerprint,
> and the 64-bit keyid is just the lowest 64 bits of the fingerprint,
> the keyserver must calculate the fingerprint no matter what.  Since
> it's already calculated, it would be nice to use it.

Yes, this is a good idea.

> > 3) I think "all matching keys are returned" solution is not a perfect
> > idea. But I can support it easly for my public key server.  I'd like
> > to know how about this solution for PGP or GPG.
>
> If you don't think this is the right way to go, what do you suggest as
> an alternative?  I think a warning is fine, but not returning one of
> the keys leaves the keyserver open for a denial of service attack.

Agreed -- a warning is warranted, but the key server software shouldn't be
deciding not to report keys simply because they share key-ids with other
keys.


--Len.