Better way to ID keys
jgg at ualberta.ca
Sun May 30 23:09:25 CEST 1999
In testing my GPG mail gateway someone pointed me to this interesting
Search for `Subject: CDR: oh goody, more key games'
The poster describes a mechanism that can be used to spoof a key finger
print and a key ID but indicates that spoofing the fingerprint, key ID and
key size all at once is substantialy more difficult [or just the
fingerprint and the size?].
So, assuming that is not just some horrible prank - could I ask that the
status-fd output contain not only the key fingerprint but it's type, and
it's size. Furthermore, I would like it if there was a nice standard way
to give GPG an exact key specfication involving all relevent portions and
have it use that exact key.
I was thinking a notation like,
Or if it turns out that the keyID is redundant then perhaps,
Which is just a more compact form of the --fingerprint output. The only
trouble is that the letter is not present in the --with-colons output
which make deriving it kinda ugly :<
This way I could specify the key to --recipient with assurance that it
precisly matches the one in my database. (In effect we maintain a seperate
global trust database for our keys, all the keys in that list are assured
to be Debian Developer keys)
Even if that posting isn't true it would be nice to have all that
information in the status-fd for completeness. (Just size and type are
My only other concern is that GPG uses the key fingerprint as an index for
it's gdbm keyring (I choose to use it as well because of that) will this
lead to problems if someone malliciously collides fingerprints?
More information about the Gnupg-devel