Why do I receive keys I wouldn't expect
David Shaw
dshaw at jabberwocky.com
Sun Oct 16 16:42:32 CEST 2011
On Oct 16, 2011, at 8:57 AM, Martin Jachs wrote:
> I issued the following command to receive my own public key for my other mail address "m.jachs at gmx.net".
>
> gpg --keyserver sks-keyservers.net --recv-keys D870A352
>
> and got the following output
>
> gpg: requesting key D870A352 from hkp server sks-keyservers.net
> gpg: key D870A352: "Martin Jachs (Regular email address) <m.jachs at gmx.net>" not changed
> gpg: key E66B2314: public key "Forest Jordan <me at inetz.com>" imported
> gpg: Total number processed: 2
> gpg: imported: 1
> gpg: unchanged: 1
>
> My question now is: Why is the key for "me at inetz.com" imported? My key has only been signed by me and has no other user IDs than mine. The output from http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&fingerprint=on&search=0xB073838BD870A352 shows this.
>
> I encountered this while importing my own public key on another machine (with Kleopatra) and got surprised.
You managed to hit a (presumably natural) keyid collision. It's rare, but not impossible. Your primary key has the keyid of D870A352. The other key happens to have a subkey with the keyid of the same D870A352. OpenPGP keyids are made by chopping down the full key fingerprint (40 characters) into a long keyid (16 characters) or a short keyid (8 characters). In this case, the full fingerprints and long keyid does not match - you just happened to collide in the lower 8 characters.
This is why it's important to check the whole fingerprint when signing keys.
David
More information about the Gnupg-users
mailing list