Forging fingerprints/KeyID?

Atom Smasher atom at
Tue Nov 29 12:00:32 CET 2005

On Mon, 28 Nov 2005, David Shaw wrote:

> On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
>> Ah,.. tanks :-)
>> So it sould be completely enough to verify Name/eMail and the
>> Fingerprint when signing another key,... and I don't have to compare
>> creation date/keysize/algorithm/etc., right?
> Not unless you're signing a PGP 2.x (v3) key.

how feasible would it be for an attacker to create a small (512 bit?) v4 
key with the same key id as a target key (irrelevant of the size and 
algorithm of the target key)?

it may not be practical today to do this with a fingerprint collision, but 
i subscribe to the theory that it doesn't hurt to check the size and 
algorithm of keys before signing them.


  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"Written laws are like spiders' webs, and will, like them,
 	 only entangle and hold the poor and weak, while the rich
 	 and powerful easily break through them."
 		-- Anacharsis - (Scythian philosopher - 600 B.C.E.)

More information about the Gnupg-users mailing list