dshaw at jabberwocky.com
Tue Nov 29 16:01:59 CET 2005
On Tue, Nov 29, 2005 at 06:00:32AM -0500, Atom Smasher wrote:
> On Mon, 28 Nov 2005, David Shaw wrote:
> >On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
> >>Ah,.. tanks :-)
> >>So it sould be completely enough to verify Name/eMail and the
> >>Fingerprint when signing another key,... and I don't have to compare
> >>creation date/keysize/algorithm/etc., right?
> >Not unless you're signing a PGP 2.x (v3) key.
> how feasible would it be for an attacker to create a small (512 bit?) v4
> key with the same key id as a target key (irrelevant of the size and
> algorithm of the target key)?
It's pretty easy to create a short (eg, 99242560) key ID collision -
just generate keys over and over on a resonably fast desktop machine
until you collide. It's not yet realistic to create a long key ID
collision (eg, DB698D7199242560) intentionally, though it does happen
every now and then by accident. It's currently completely out of the
question to intentionally create a colliding v4 fingerprint. To do so
would imply a total break of SHA-1, in which case we have other
problems. Note that even MD5 isn't broken to that extent.
> it may not be practical today to do this with a fingerprint collision, but
> i subscribe to the theory that it doesn't hurt to check the size and
> algorithm of keys before signing them.
It doesn't hurt, but it doesn't help either. Actually, it's not true
that it doesn hurt - it does hurt a little if people start to believe
that this actually protects them in a meaningful way. It's important
to be honest with yourself.
More information about the Gnupg-users