SHA3 IANA registration - method?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Dec 18 00:44:35 CET 2012
On 12/17/2012 06:21 PM, Andrey Jivsov wrote:
> That's not to say that there is no problem with fingerprints. RFC 4880
> doesn't warn users that "you cannot rely on fingerprints for security
> and MUST cache keys for full repudiation". I don't think it should. I
> think it's much easier to fix the fingerprints and continue to view them
> as ideal hashes of keys.
https://tools.ietf.org/html/rfc4880#page-72 :
>> Note that it is possible for there to be collisions of Key IDs -- two
>> different keys with the same Key ID. Note that there is a much
>> smaller, but still non-zero, probability that two different keys have
>> the same fingerprint.
This seems to strongly imply the arguments you suggest are lacking
above. I can't find anywhere in RFC 4880 that encourages people to
throw away copies of keys that they have used for validation and expect
to be able to find them again.
I really don't think the scenario you've described amounts to a serious
vulnerability, let alone one related to the collision-resistance of the
fingerprinting mechanism.
--dkg
More information about the Gnupg-devel
mailing list