What are fingerprints?

Dale Harris rodmur@maybe.org
Sun, 12 Dec 1999 11:26:05 -0700

On Sun, Dec 12, 1999 at 04:18:18PM +0100, Peter Schuller elucidated:

> I've always wondered: how on earth can they be unique? Yes, a hashing
> algorithm can make the hashes *almost* unique, but how can it be guaranteed
> that no two keys have the same finger print? It must be impossible, since
> there is no communication with a central server during key generation. Yet,
> invarious documents on PGP, it is always stated that they finger prints are
> indeed unique.
There is no way to guarantee they are unique. Once they are significantly larger than the key ID, then there is less chance that there will be a duplicate fingerprint (I don't know what the probabilities are, but I imagine that they are relatively small). Only the whole key is unique (unless someone uses your id and pass phrase to make another). The fingerprint is a convenience, it is simpler for the user to check a whole key. If meet someone or are talking to them on the phone, and you are fairly confident who are talking to is who they say they are, then if you have them read their fingerprint, you can have a relatively high degree of confidence that you are using the correct key. Obviously if there is a fingerprint match, or you want to be absolutely sure, then you'll want to check the entire key. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dale Harris <rodmur@maybe.org> GPG key: 372FBD57 http://www.maybe.org/ Maybe is an Ambivalent Yet Beguiling Enigma