struggling with potential keyid conflicts
dshaw at jabberwocky.com
Tue Jan 27 22:05:41 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Jan 27, 2004 at 04:05:31PM -0800, vedaal at hush.com wrote:
> >The old PGP 2.x (v3) keys have trivially forgeable keyids and
> >fingerprints. There is no way to really secure against that, as it
> >is inherent in the key format. Don't use them.
> the eight character key id may be easy to forge, but is the
> fingerprint too?
Yes. The v3 fingerprint algorithm is flawed, and allows someone to
trivially duplicate someone elses fingerprint. The giveaway is that
the forged key cannot have the same size as the real key.
This problem doesn't exist in v4 OpenPGP keys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.5-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----
More information about the Gnupg-users