SHA3 IANA registration - method?

Daniel Kahn Gillmor dkg at
Tue Dec 18 00:44:35 CET 2012

On 12/17/2012 06:21 PM, Andrey Jivsov wrote:
> That's not to say that there is no problem with fingerprints. RFC 4880
> doesn't warn users that "you cannot rely on fingerprints for security
> and MUST cache keys for full repudiation". I don't think it should. I
> think it's much easier to fix the fingerprints and continue to view them
> as ideal hashes of keys. :

>>    Note that it is possible for there to be collisions of Key IDs -- two
>>    different keys with the same Key ID.  Note that there is a much
>>    smaller, but still non-zero, probability that two different keys have
>>    the same fingerprint.

This seems to strongly imply the arguments you suggest are lacking
above.  I can't find anywhere in RFC 4880 that encourages people to
throw away copies of keys that they have used for validation and expect
to be able to find them again.

I really don't think the scenario you've described amounts to a serious
vulnerability, let alone one related to the collision-resistance of the
fingerprinting mechanism.


More information about the Gnupg-devel mailing list