Using second keyring may be misleading?

Nicholas Cole nicholas.cole at gmail.com
Sun Jun 24 09:42:07 CEST 2012


>>>
>>
>> So it still confuses implementations? :)
>
> Alas :)
>
> Unfortunately, it's pretty inherent in the design.  The issuer subpacket that contains the key ID for a signature only has the 64-bit key ID.  We'd need a new issuer subpacket that contained the whole fingerprint.

 1.  I've never really understood why the full fingerprint *wasn't*
used for this sort of thing.  The key ID probably ought to be kept as
much as possible as a human-only convenience.  Is there no way to
imagine the standard changing? (I guess this would need a new key
format version, and possibly a new signature format?)

2.  At least internally, could gpg get round the problem by indexing
keys by fingerprint, and by checking the validity of the signature as
well as just the key-id in the case of possible ambiguities (or at
least spotting the ambiguity and printing a warning?)

3. I know this is a particular problem with version 3 key ids. How
much stronger are version 4?

Best wishes,

Nicholas



More information about the Gnupg-devel mailing list