[PATCH] Disable importing V3 public keys from keyservers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 10 16:29:56 CEST 2014

On 10/10/2014 10:22 AM, David Leon Gil wrote:
> On Fri, Oct 10, 2014 at 10:05 AM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
>> full v3 fingerprints are also spoofable …
> You can generate collisions easily enough. Is there another way of
> spoofing them?


> They're the MD5 hash of the modulus, no?

No, v3 fingerprints include the exponent as well:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/53004cde/attachment.sig>

More information about the Gnupg-devel mailing list