[PATCH] Disable importing V3 public keys from keyservers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 10 16:29:56 CEST 2014
On 10/10/2014 10:22 AM, David Leon Gil wrote:
> On Fri, Oct 10, 2014 at 10:05 AM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
>> full v3 fingerprints are also spoofable …
>
> You can generate collisions easily enough. Is there another way of
> spoofing them?
yep.
> They're the MD5 hash of the modulus, no?
No, v3 fingerprints include the exponent as well:
https://tools.ietf.org/html/rfc4880#section-12.2
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/53004cde/attachment.sig>
More information about the Gnupg-devel
mailing list