Vanity Keys

Sandeep Murthy s.murthy at mykolab.com
Wed Jan 14 04:11:51 CET 2015 

Hi

> Only the right key will actually work for verification, but the program may not be able to find that right key.

Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex digits)
causing problems for the GPG program only be an issue in an organisational setting,
where there is a large number of users sharing that program and where keys
are uploaded to/retrieved from key servers using short IDs?

For an individual who for example only imports keys with fingerprints (160 bits /  40 hex) and
publishes their fingerprint rather than the short or long key ID, how can this risk arise
or is there still an issue with key servers?

Sandeep Murthy
s.murthy at mykolab.com

> On 13 Jan 2015, at 20:52, David Shaw <dshaw at jabberwocky.com> wrote:
> 
> On Jan 13, 2015, at 2:53 PM, NdK <ndk.clanbo at gmail.com> wrote:
>> 
>> Il 13/01/2015 16:34, David Shaw ha scritto:
>> 
>>> I like the idea of adding a proper fingerprint to signature packets.  I seem to recall this was suggested once in the past, but I don't recall why it wasn't pursued.
>> What I don't understand (surely because of my ignorance of GPG inner
>> working) is what that should add to the security... IOW, if the private
>> key have been generated by a third party to have a certain fingerprint,
>> what's the purpose of adding that fingerprint to the signature?
> 
> OpenPGP uses the 64-bit key ID to locate keys.  If two people have the same 64-bit key ID, it doesn't mean that person A can impersonate person B, but it does mean that if both person A and person B's keys are on a given keyring, the verifying program will not know which key to use to check the signature.  Only the right key will actually work for verification, but the program may not be able to find that right key.
> 
> The fingerprint is a 160-bit key ID - effectively impossible (given today's knowledge) to impersonate.
> 
> David
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150114/eda0a5bc/attachment.sig>

More information about the Gnupg-users mailing list