struggling with potential keyid conflicts

David Shaw dshaw at jabberwocky.com
Tue Jan 27 22:05:41 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jan 27, 2004 at 04:05:31PM -0800, vedaal at hush.com wrote:

> >The old PGP 2.x (v3) keys have trivially forgeable keyids and
> >fingerprints.  There is no way to really secure against that, as it
> >is inherent in the key format.  Don't use them.
> 
> the eight character key id may be easy to forge, but is the
> fingerprint too?

Yes.  The v3 fingerprint algorithm is flawed, and allows someone to
trivially duplicate someone elses fingerprint.  The giveaway is that
the forged key cannot have the same size as the real key.

This problem doesn't exist in v4 OpenPGP keys.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.5-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iHEEARECADEFAkAXJwUqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJdB0AnRyI9X9qHIvbNjlbhNDcQIsQd/jRAJ9N
02LF6TwVBqirEedHDH9+KHS6qw==
=Vmss
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list