vedaal at vedaal at
Fri Jun 22 19:44:35 CEST 2012

On Fri, 22 Jun 2012 12:56:46 -0400 Robert J. Hansen 
<rjh at> wrote:
>On 6/22/2012 12:39 PM, vedaal at wrote:

>> " trivially countered by 
>> simply listing the keysize together with the fingerprint."
>This is, unfortunately, not a trivial fix.
>Already people don't pay attention to proper validation because 
>the idea
>of checking the fingerprint is alien to them, they don't 
>understand it,
>don't understand why it's necessary.  Adding another step of 
>"verify the
>keysize, too" will just compound the problem.

I'm not now, (and have not been since the ADK v4 bug was fixed ;-) 
), advocating that people should generate v3 keys as a choice.

Anyone new to crypto, should definitely use only a v4 key.

As you mentioned earlier, the v3 people have an entrenched user-
base, and are hardly novices, and 'for them', listing the keysize 
with the fingerprint, really is trivial.

(I never called it a 'fix'. It's an easily describable and do-able 
workaround for people who need their v3's for their preferred 


More information about the Gnupg-users mailing list