Fingerprint confusion.

Werner Koch wk@gnupg.org
Mon Aug 26 17:06:01 2002


On Sat, 24 Aug 2002 12:10:46 +0100 (BST), john clark said:

> 	Being shown the fingerprint of the sub/encryption key
> during encryption while the fingerprint being given by
> the --fingerprint option is from the primary key.

we are now printing a more clear message, e.g.:

gpg: xxxxxxxx: There is no indication that this key really belongs to the owner
2048g/xxxxxxxx: ..
 Primary key fingerprint: ...
      Subkey fingerprint: ...

If the primary key is used, we don't print the subkey fingerprint of
course.

There is a reason why the subkey is printed: If you have a very strong
subkey (say 4k bits), it does not match the strength of a (say) 1024
bit primary key.  An attacker could in theory then try to break the
primary key and create a new subkey which he can do because the subkey
is bound to the primary by a signature created with the primary.  To
avoid this one could exchange the fingerprint of the subkey by other
secure means to see whether they match.


Salam-Shalom,

   Werner