howto secure older keys after the recent attacks
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Sep 10 18:22:30 CEST 2009
On 09/10/2009 10:54 AM, Robert J. Hansen wrote:
> On Thu, 2009-09-10 at 14:02 +0200, Philippe Cerfon wrote:
>> I thought the key ID is only used for humans to short check the
>> keys,.. but not in the system itself?!
>
> Nope, it's pretty pervasive in the system.
Unless i misunderstand the context, I think I disagree with your
characterization here, Robert.
The Key ID is a substring (either the last 8 or 16 hex chars) of the Key
Fingerprint (which is 40 hex chars). The Key ID is used nowhere in the
internals of the OpenPGP specification, from what i can tell.
The fingerprint itself is used only in the designated revocation key
[0], which is an acknowledged weakness of the cryptosystem [1]. It's
not used anywhere else that i can tell.
So I think Philippe Cerfon's characterization is pretty accurate,
actually. The fingerprint (and to a weaker extent, the keyID) is useful
where the mechanical implementation meets the human mind. But I don't
think either are used internally to the OpenPGP cryptosystem in many
places at all.
--dkg
[0] http://tools.ietf.org/html/rfc4880#section-5.2.3.15
[1] http://www.imc.org/ietf-openpgp/mail-archive/msg33257.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090910/41437c56/attachment.pgp>
More information about the Gnupg-users
mailing list