Key ID format: short or long?

David Newman dfn at MIT.EDU
Wed Oct 22 05:54:34 CEST 2008

>    I had thought the long key ID, plus my email address, should be
> enough, since 8 characters hexadecimal numbers are unlikely to produce
> a
> collision, and even in case of a malicious attempt to replace my key,
> if
> 2 keys are found at the search, I would expect a contact to write and
> say "which one is the good one?" (and... seriously, I don't think
> anybody would try to impersonate me). But since everybody thinks the
> "right thing" is to put the entire fingerprint, there is no reason to
> don't do it.

The 8 char key ID is enough for one to retrieve your public key from
any keyserver, however, if that person would like to sign your key they
need 2 things from you.  At least one picture ID and your key's
fingerprint.  Chances are, if someone has your business card they have
met you in person so they could easily have checked your ID.  So including
it on your business card makes it more convenient.  That's the real reason
for including the fingerprint instead of just the keyID.  They are not
going to use the fingerprint to retrieve the key, only to verify that the
retrieved key is yours.


More information about the Gnupg-users mailing list