struggling with potential keyid conflicts
David Shaw
dshaw at jabberwocky.com
Wed Jan 28 11:00:00 CET 2004
On Wed, Jan 28, 2004 at 06:42:02AM -0800, vedaal at hush.com wrote:
>
> >> the eight character key id may be easy to forge, but is the
> >> fingerprint too?
> >
> >Yes. The v3 fingerprint algorithm is flawed, and allows someone to
> >trivially duplicate someone elses fingerprint. The giveaway is
> >that the forged key cannot have the same size as the real key.
>
> Thanks,
>
> so the defense then against a fingerprint forgery is even more
> trivial:
>
> a v3 user just lists his/her key size as well as the fingerprint and
> keyid
Correct.
> (not yet a reason to drop v3's ;-) )
> (the reason to maintain it, is the convenience of a
> 'one key fits all implementations'
Well, they don't really fit all implementations. There are a whole
collection of little fussy details with v3 keys that cause large
interoperability problems. It would be a kindness to all other users
of PGP and GnuPG if v3 key users would migrate to v4 keys.
David
More information about the Gnupg-users
mailing list