SHA3 IANA registration - method?

Andrey Jivsov openpgp at brainhub.org
Tue Dec 18 01:02:11 CET 2012


On 12/17/2012 03:44 PM, Daniel Kahn Gillmor wrote:
> On 12/17/2012 06:21 PM, Andrey Jivsov wrote:
>> That's not to say that there is no problem with fingerprints. RFC 4880
>> doesn't warn users that "you cannot rely on fingerprints for security
>> and MUST cache keys for full repudiation". I don't think it should. I
>> think it's much easier to fix the fingerprints and continue to view them
>> as ideal hashes of keys.
>
> https://tools.ietf.org/html/rfc4880#page-72 :
>
>>>     Note that it is possible for there to be collisions of Key IDs -- two
>>>     different keys with the same Key ID.  Note that there is a much
>>>     smaller, but still non-zero, probability that two different keys have
>>>     the same fingerprint.
>
> This seems to strongly imply the arguments you suggest are lacking
> above.  I can't find anywhere in RFC 4880 that encourages people to
> throw away copies of keys that they have used for validation and expect
> to be able to find them again.
>
> I really don't think the scenario you've described amounts to a serious
> vulnerability, let alone one related to the collision-resistance of the
> fingerprinting mechanism.

The quote you provided talks about keyID. The collision it talks about 
is an unavoidable collision due to the limited length of the keyID, 
which is 8 bytes. The collision here happens with ~ 1/2^32 probability 
and it will not be helped by a stronger fingerprint that uses SHA-512, 
for example.

Fingerprints are 160 bits.

If you talk to application developers with some knowledge of security, 
you are almost certain to see a surprise that OpenPGP fingerprints (not 
keyIDs) may not be assumed to be collision free and one SHOULD cache/log 
actual keys.



More information about the Gnupg-devel mailing list