Better way to ID keys
Jason Gunthorpe
jgg at ualberta.ca
Sun May 30 23:09:25 CEST 1999
Hi all!
In testing my GPG mail gateway someone pointed me to this interesting
post,
http://jya.com/show-trials.htm
Search for `Subject: CDR: oh goody, more key games'
The poster describes a mechanism that can be used to spoof a key finger
print and a key ID but indicates that spoofing the fingerprint, key ID and
key size all at once is substantialy more difficult [or just the
fingerprint and the size?].
So, assuming that is not just some horrible prank - could I ask that the
status-fd output contain not only the key fingerprint but it's type, and
it's size. Furthermore, I would like it if there was a nice standard way
to give GPG an exact key specfication involving all relevent portions and
have it use that exact key.
I was thinking a notation like,
21BADABBBF24424C/4966F272D093B493410B924B21BADABBBF24424C/1024D
6DC580F5C7261095/CBD9F4126807E405CC2D27121DF5E86E/1024R
Or if it turns out that the keyID is redundant then perhaps,
4966F272D093B493410B924B21BADABBBF24424C/1024D
CBD9F4126807E405CC2D27121DF5E86E/1024R
Which is just a more compact form of the --fingerprint output. The only
trouble is that the letter is not present in the --with-colons output
which make deriving it kinda ugly :<
This way I could specify the key to --recipient with assurance that it
precisly matches the one in my database. (In effect we maintain a seperate
global trust database for our keys, all the keys in that list are assured
to be Debian Developer keys)
Even if that posting isn't true it would be nice to have all that
information in the status-fd for completeness. (Just size and type are
needed right?)
My only other concern is that GPG uses the key fingerprint as an index for
it's gdbm keyring (I choose to use it as well because of that) will this
lead to problems if someone malliciously collides fingerprints?
Thanks,
Jason
More information about the Gnupg-devel
mailing list