It has been reported that the GPG encryption key generation system has been documented as generating two different keys with the same short key ID.
Apparently it is an old problem, but the solution is as simple as: stop using short key IDs. However, since signature verifications cannot be spoofed with this technique, nothing is compromised. Only humans are confused, which could lead to some social engineering, at worst. I suspect that after this publicity those who haven't been using long keys will start doing so when they upload their apps to secure servers. And, users should be aware of the problem and not trust the short key as the proof of authenticity.
Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundamentally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1.
...
...
Comment