gpgme 0.3.3 questions

[Rick van Rein]

Hoi Stephane Corthesy,

> About gpg:
> 
> - How are two keys equal? Can we compare them using fingerprint?  

Yes, that is the idea of a fingerprint.
Without actually viewing the key, you can still compare it.
The whole key is long (often 1024 bit, some use 4096 bit -- where a
fingerprint is 128 bt or 160 bit) and the idea of a comparison of secure
hashes is in practice as good as comparing the stuff it was derived from.

Of course, there is a chance that two keys have the same fingerprint, after
all, there's far less bits. But _because_ you are using the fingerprint for
authentication purposes (and that's all they are good for) of someone who
already claimed to be Mr. X, the changes of forgery are infinitesimally
small and can be waived.

> What makes them unique?

Nothing does. It is possible to have the same key pair generated in two
different places, and/or the same fingerprint. However, the chances are
quite small.

To me, this is where PGP is really smart. It allows distributed/
disconnected use of PGP, while at the same time establishing a strong means
of authentication of someone claiming to be Mr. X.

Although it is generally assumed that human fingerprints are unique, there
is no way of knowing this for sure. There is no central database anywhere
in Nature's scheme of things. However, given that someone claims to be Mr.
X, and if the human fingerprint matches the one on store _for_ Mr. X, it's
gotta be him. That's how I understand the term fingerprint in PGP.

However, if you have a world full of PGP users, you should not go and
lookup a key based on its fingerprint alone; it is a bad identity because
there _may_ be some other key using the same fingerprint, given a large
user base.



So, NEVER NEVER NEVER use a fingerprint as an identity, or assume it is
unique. But ANYTIME assume that a comparison of fingerprints is as good a
form of authentication as comparing the keys themselves.


Hope this helps,

Rick van Rein.