GPG attacks 27. August 2017
While communicating with the CCC office, I was informed that they couldn’t send me GPG encrypted mails because of the error “GPGME: Ambiguous name”. Of course there is more than one key if you search for my mail address (I had other keys in the past), but they also quoted my correct key ID.
Well, turns out the GPG key ID collisions that were in the news last year also caught my key. While the key with id
0xB17F2106D8CCEC27 really is mine (as I also state on my keys page), the fake one with long ID
0x5AAD3FC3D8CCEC27 (notice the identical last eigth characters) has many of the correct parameters that are mentioned in the article:
- It has the correct primary user ID.
- It is signed by some other fake keys that correspond to real keys that signed my real key (like CACert).
However, it also lacks some details:
- It doesn’t have any secondary user IDs.
- It has the wrong creation time.
- Its signatures never expire. CACert only ever signs for one year.
- And of course, it’s revoked, as it was created by researchers.
All in all, I guess I should be proud that apparently, I’m part of the GPG strong set (as suggested by the article) and surprised that the CCC office considers revoked keys.