Vanity Keys

Werner Koch wk at
Tue Jan 13 21:38:42 CET 2015

On Tue, 13 Jan 2015 20:53, ndk.clanbo at said:

> What I don't understand (surely because of my ignorance of GPG inner
> working) is what that should add to the security... IOW, if the private

Indirectly due to a DoS.  By creating a duplicated long key id and
having someone import that one it makes it impossible to verify a
signature made by the original key.  Well, we could also change the code
to trial verify with all key ids but that takes longer than needed and
may by itself be used as a DoS.

> key have been generated by a third party to have a certain fingerprint,
> what's the purpose of adding that fingerprint to the signature?

Preimage attacks on SHA-1 fingerprints are not even on the horizon.  By
the time they are possible all kind of other serious attacks will also
be possible.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list