Mike Gerwitz (mikegerwitz)'s status on Saturday, 04-Jun-2016 01:18:59 UTC
-
@armistace There's two practical problems: using someone else's PGP key without realizing it, and software (stupidly) using only the last eight digits of the fingerprint.
The latter is a serious issue. The former isn't necessarily practical to exploit if you're paying attention; if I download someone's GPG key, I'm usually getting it for a particular purpose, such as verifying an existing signature (e.g. e-mail, software packages). Not only would someone have to create a key with the same last eight digits, but it'd have to be the correct name and e-mail address. Even then, when I go to verify signatures, the check would fail.
So I wouldn't be worried if you're using, say, GPG from the command line or your mail client, so long as it implements it properly.