SHA3 IANA registration - method?

Andrey Jivsov openpgp at
Mon Dec 17 08:28:13 CET 2012

On 12/15/2012 01:32 AM, Werner Koch wrote:
> On Fri, 14 Dec 2012 19:32, openpgp at said:
>>  From this point I can claim repudiation (aka an alibi), stating that
>> the sender has never properly encrypted the message to me that I could
>> have ever read. Here is my key (B) with the same fingerprint that
> The non-repudiation capability of an enryption system is hard to
> implement and to deploy.  I am not sure whether OpenPGP may claim to
> support it.

How about this signature repudiation:

At some point I generated two keys with colliding fingerprints. I post 
the fingerprint of one key and the key itself on the website. I keep my 
second key for tough times ahead.

At some point I sign a document, but get in troubles because of this 
signature and want to deny the signature. I quickly update the key file 
on the website.

The key file was not cached by the search engines (by luck or my forward 
planning). It could be due to my luck because the key was in a directory 
that was excluded per my /robots.txt file. Fingerprint, however, was not 
(it was in the indexed html folder).

Now my denial of the signature looks convincing: the fingerprint is 
correct and is exactly the one that was on my page at the alleged time 
of signing, but the signature doesn't verify. I hire 3d party experts to 
record the current state of things and will rely on their statement for 
the repudiation.

( Of course the accuser forgot to cache my old key. )

More information about the Gnupg-devel mailing list