struggling with potential keyid conflicts

David Shaw dshaw at
Wed Jan 28 11:00:00 CET 2004

On Wed, Jan 28, 2004 at 06:42:02AM -0800, vedaal at wrote:
> >> the eight character key id may be easy to forge, but is the
> >> fingerprint too?
> >
> >Yes.  The v3 fingerprint algorithm is flawed, and allows someone to
> >trivially duplicate someone elses fingerprint.  The giveaway is
> >that the forged key cannot have the same size as the real key.
> Thanks,
> so the defense then against a fingerprint forgery is even more
> trivial:
> a v3 user just lists his/her key size as well as the fingerprint and
> keyid


> (not yet a reason to drop v3's  ;-) )
> (the reason to maintain it, is the convenience of a 
> 'one key fits all implementations'

Well, they don't really fit all implementations.  There are a whole
collection of little fussy details with v3 keys that cause large
interoperability problems.  It would be a kindness to all other users
of PGP and GnuPG if v3 key users would migrate to v4 keys.


More information about the Gnupg-users mailing list