Fingerprint confusion.
Werner Koch
wk@gnupg.org
Mon Aug 26 17:06:01 2002
On Sat, 24 Aug 2002 12:10:46 +0100 (BST), john clark said:
> Being shown the fingerprint of the sub/encryption key
> during encryption while the fingerprint being given by
> the --fingerprint option is from the primary key.
we are now printing a more clear message, e.g.:
gpg: xxxxxxxx: There is no indication that this key really belongs to the owner
2048g/xxxxxxxx: ..
Primary key fingerprint: ...
Subkey fingerprint: ...
If the primary key is used, we don't print the subkey fingerprint of
course.
There is a reason why the subkey is printed: If you have a very strong
subkey (say 4k bits), it does not match the strength of a (say) 1024
bit primary key. An attacker could in theory then try to break the
primary key and create a new subkey which he can do because the subkey
is bound to the primary by a signature created with the primary. To
avoid this one could exchange the fingerprint of the subkey by other
secure means to see whether they match.
Salam-Shalom,
Werner