Forging fingerprints/KeyID?

Atom Smasher atom at smasher.org
Tue Nov 29 12:00:32 CET 2005


On Mon, 28 Nov 2005, David Shaw wrote:

> On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
>> Ah,.. tanks :-)
>> So it sould be completely enough to verify Name/eMail and the
>> Fingerprint when signing another key,... and I don't have to compare
>> creation date/keysize/algorithm/etc., right?
>
> Not unless you're signing a PGP 2.x (v3) key.
==================

how feasible would it be for an attacker to create a small (512 bit?) v4 
key with the same key id as a target key (irrelevant of the size and 
algorithm of the target key)?

it may not be practical today to do this with a fingerprint collision, but 
i subscribe to the theory that it doesn't hurt to check the size and 
algorithm of keys before signing them.


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Written laws are like spiders' webs, and will, like them,
 	 only entangle and hold the poor and weak, while the rich
 	 and powerful easily break through them."
 		-- Anacharsis - (Scythian philosopher - 600 B.C.E.)





More information about the Gnupg-users mailing list