howto secure older keys after the recent attacks

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 10 18:22:30 CEST 2009


On 09/10/2009 10:54 AM, Robert J. Hansen wrote:
> On Thu, 2009-09-10 at 14:02 +0200, Philippe Cerfon wrote:
>> I thought the key ID is only used for humans to short check the
>> keys,.. but not in the system itself?!
> 
> Nope, it's pretty pervasive in the system.

Unless i misunderstand the context, I think I disagree with your
characterization here, Robert.

The Key ID is a substring (either the last 8 or 16 hex chars) of the Key
Fingerprint (which is 40 hex chars).  The Key ID is used nowhere in the
internals of the OpenPGP specification, from what i can tell.

The fingerprint itself is used only in the designated revocation key
[0], which is an acknowledged weakness of the cryptosystem [1].  It's
not used anywhere else that i can tell.

So I think Philippe Cerfon's characterization is pretty accurate,
actually.  The fingerprint (and to a weaker extent, the keyID) is useful
where the mechanical implementation meets the human mind.  But I don't
think either are used internally to the OpenPGP cryptosystem in many
places at all.

	--dkg

[0] http://tools.ietf.org/html/rfc4880#section-5.2.3.15
[1] http://www.imc.org/ietf-openpgp/mail-archive/msg33257.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090910/41437c56/attachment.pgp>


More information about the Gnupg-users mailing list