[ckastner]

This has also been discovered with the Debian project, as I submitted a while ago [1].

The really scary part is the follow-up [2]:

  > € gpg --search-key samuel.thibault@gnu.org
  > ...
  > (1) Samuel Thibault <samuel.thibault@gnu.org>
  > 4096 bit RSA key 7D069EE6, created: 2014-06-16

  And it has 55 signatures from 55 colliding keys...

Edit: even the 64-bit fingerprint is probably insufficient, see [3].

[1] https://lists.debian.org/debian-devel/2016/08/msg00143.html

[2] https://lists.debian.org/debian-devel/2016/08/msg00144.html

[3] https://lists.debian.org/debian-devel/2016/08/msg00215.html

[tomrod]

Why is this scary?

[ckastner]

Because it removes many obvious tells of a deliberate key collision targeting a specific key, and thus is harder to detect.

For example, pgp.mit.edu and Enigmail would currently output information for both keys that would be almost identical per 2014-08-05, the day evil32 apparently generated the keys. I say "almost" only because they didn't set the correct timestamps, and apparently did not duplicate all UIDs -- but they easily could have.

The diligent PGP user will of course not fall into such a trap, but an inexperienced user easily might, and there are many of them.

[schoen]

The whole point of this research was to underscore that PGP key acquisition is commonly broken. You could choose to blame PGP software, users, documentation, or the web-of-trust model itself, but in any case what a significantly number of people commonly do is unsafe.