howto secure older keys after the recent attacks
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Sep 10 18:22:30 CEST 2009
On 09/10/2009 10:54 AM, Robert J. Hansen wrote:
> On Thu, 2009-09-10 at 14:02 +0200, Philippe Cerfon wrote:
>> I thought the key ID is only used for humans to short check the
>> keys,.. but not in the system itself?!
> Nope, it's pretty pervasive in the system.
Unless i misunderstand the context, I think I disagree with your
characterization here, Robert.
The Key ID is a substring (either the last 8 or 16 hex chars) of the Key
Fingerprint (which is 40 hex chars). The Key ID is used nowhere in the
internals of the OpenPGP specification, from what i can tell.
The fingerprint itself is used only in the designated revocation key
, which is an acknowledged weakness of the cryptosystem . It's
not used anywhere else that i can tell.
So I think Philippe Cerfon's characterization is pretty accurate,
actually. The fingerprint (and to a weaker extent, the keyID) is useful
where the mechanical implementation meets the human mind. But I don't
think either are used internally to the OpenPGP cryptosystem in many
places at all.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 891 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users