-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A side-effect of this is something that's either an obvious extension or in the
spec already.
Section 3.3 says: "Implementations SHOULD NOT assume that Key IDs are unique."
It's said that since 2440, for the following reason...
In PGP1 days, Vinnie started working there and told me that he'd generated a
key and gotten a certain error when putting it into the keyserver. I was
thrilled, because that error was a duplicate keyid error. We'd been having
debates over this ourselves. Being a software engineer, I tend to consider
assuming that a database key is unique is bad form. I recognize that
pseudo-random 64-bit numbers don't collide easily at all, but assuming
uniqueness is something that is easily coded around. That key was my proof that
engineering-wise, don't assume uniqueness.
Sadly, he had deleted the key and just generated a new one, so that key is the
Nessie of key ids. It's a crypto-cryptologist's dream, the true random
collision. And we will never know if it was genuine. Sigh.
Nonetheless, that led to that clause in 3.3, and I assert that if an
implementation breaks because of a keyid collision, the implementation has a
bug.
So you can consider a keyid to just be a database key. The way we do it now
(truncating a fingerprint) is a fine way to do it, but the underlying principle
is that an implementor really needs to code around the eventuality that there
will be a collision and do some right thing.
Yeah, I know it's easier said than done, but that doesn't make it false.
I forget what Terry Pratchett novel has it, but in one of them he has a
discussion that anything that is a million-to-one against is a certainty. The
million-to-one thing *will* happen. Cryptographers need to keep that principle
in the back of their head, too.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii
wj8DBQFNOFwGsTedWZOD3gYRAtyVAJ40VCHrrUkG2Dc+Bi7fKQA5VZlCeQCfRQVc
Xs4TmguHftMh9uE/+b5Lqfw=
=B98X
-----END PGP SIGNATURE-----