* William H. Geiger III wrote:
Well I think we should have had some disscussion on this. This really
plays havok on keyring lookups & management if keyID is nolonger unique.
If this is the tact to be taken then we should look at the encrypt & sig
packets and find a unique identifier to use with them perhaps just put the
whole fingerprint there. Without a unique identifyer there will be a
marked decrease of performance in PGP operations in areas where PGP
performance is poor to begin with.
I do not know how to deal with key ID attacks, birthday phenomena, and user
provided parts of the key/user ID without defining the key ID as not unique.
A local database does not depend on the uniqueness of the global key ID.
But we know, that if it tries to depend on it, it is attackable.
Normally a key database is small. (large databases are still very slow in
current versions of PGP due to bad implementation) So only a few keys has to
be tried. Normally only a single key has to be tried. If 0xdeadbeef keys are
removed locally, this is even true for attacked enviroments.