Fingerprint confusion.
Jason Harris
jharris@widomaker.com
Mon Aug 26 21:39:01 2002
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Aug 26, 2002 at 05:11:21PM +0200, Werner Koch wrote:
> we are now printing a more clear message, e.g.:
>=20
> gpg: xxxxxxxx: There is no indication that this key really belongs to the=
owner
> 2048g/xxxxxxxx: ..
> Primary key fingerprint: ...
> Subkey fingerprint: ...
>=20
> If the primary key is used, we don't print the subkey fingerprint of
> course.
>=20
> There is a reason why the subkey is printed: If you have a very strong
> subkey (say 4k bits), it does not match the strength of a (say) 1024
> bit primary key. An attacker could in theory then try to break the
> primary key and create a new subkey which he can do because the subkey
> is bound to the primary by a signature created with the primary. To
> avoid this one could exchange the fingerprint of the subkey by other
> secure means to see whether they match.
Let's hope SHA-1 hashes remain secure for a long time...
(Also, use --with-fingerprint twice to get fingerprints for subkeys.
On the keyservers, ask for a verbose listing with fingerprints
(the default on the web form) from http://keyserver.kjsl.com:11371/
to see similar output.)
Should ./tools/ring-a-party start including subkey fingerprints by
default? Here is a _quick_ hack to do so, but the key algorithm
display (at minimum) needs more work:
--- ring-a-party 2002/08/26 18:54:29 1.1
+++ ring-a-party 2002/08/26 19:15:07
@@ -29,8 +29,8 @@
echo "ring-a-party: output will be written to 'a.pub'" >&2
=20
=20
-gpg --dry-run --with-fingerprint --with-colons $keyring \
- | gawk -v "KEYRING=3D$hdrline" '
+gpg --dry-run --with-fingerprint --with-fingerprint --with-colons $keyring=
\
+ | awk -v "KEYRING=3D$hdrline" '
BEGIN { FS=3D":"
algos[1] =3D "RSA";
algos[16] =3D "ElGamal";
@@ -43,8 +43,11 @@
END {=20
if (any) myflush();=20
}
-$1 =3D=3D "pub" {
- if( any ) myflush();
+$1 =3D=3D "pub" || $1 =3D=3D "sub" {
+ if( any ) {
+ myflush();
+ }
+ type =3D $1
uidcount =3D 0;
signencrypt =3D 0;
uids[uidcount++] =3D $10;
@@ -70,17 +73,20 @@
printf " Type Bits KeyID Created Expires Algorithm =
Use\n\n";
lines =3D 1;
}
- printf "[ ] pub %04d 0x%s %10s %10s %-10s %15s\n",
+ printf "[ ] %s %04d 0x%s %10s %10s %-10s %15s\n",
+ type,
nbits, keyid, created, expires =3D=3D ""? "----------":expires, algostr,
signencrypt =3D=3D 1? "Sign & Encrypt":"Sign only";
length(fpr) =3D=3D 40 ? printfpr20( fpr ) : printfpr16( fpr );
lnes +=3D 2;
+ if (type =3D=3D "pub") {
for( i=3D0; i < uidcount; i++ ) {
printf "( ) uid %s\n", uids[i];
lines++;
}
- printf "\n\n";
- lines +=3D 2;
+ }
+ printf "\n";
+ lines +=3D 1;
}
=20
function mapalgo( no )
@@ -112,7 +118,3 @@
}
=20
' | tee a.pub | gpg --print-mds
-
-
-
-
--=20
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web: http://jharris.cjb.net/
--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9aoQQSypIl9OdoOMRAqrmAKC4/bVOhNIami8re7yYSPNAExWI4wCgucSm
4i7x1pims521w7XKfTDKT1k=
=lcy+
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRztdT--