Vanity Keys
Werner Koch
wk at gnupg.org
Tue Jan 13 21:38:42 CET 2015
On Tue, 13 Jan 2015 20:53, ndk.clanbo at gmail.com said:
> What I don't understand (surely because of my ignorance of GPG inner
> working) is what that should add to the security... IOW, if the private
Indirectly due to a DoS. By creating a duplicated long key id and
having someone import that one it makes it impossible to verify a
signature made by the original key. Well, we could also change the code
to trial verify with all key ids but that takes longer than needed and
may by itself be used as a DoS.
> key have been generated by a third party to have a certain fingerprint,
> what's the purpose of adding that fingerprint to the signature?
Preimage attacks on SHA-1 fingerprints are not even on the horizon. By
the time they are possible all kind of other serious attacks will also
be possible.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list