Why do Key Fingerprints include Creation Timestamp?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 31 05:19:50 CET 2018


On Tue 2018-01-30 21:35:57 -0500, FuzzyDrawrings via Gnupg-users wrote:
> Wouldn't it make more sense to hash only the public-key's MPI
> value(s)? That way if an implementation's code fails to generate a
> unique key-pair, it will be known because the fingerprint will be the
> same as some other key.
>
> But as it is, with the Fingerprint hash including the timestamp, any
> "colliding" keys will have different fingerprints and so will go
> undetected.
>
> Is there a good reason for it to be this way?

This is a great question, and one that i've struggled with over time.  I
currently think that including the creation time in the fingerprint is a
*good* thing, but i have felt otherwise in the past.

The first thing to realize is that an OpenPGP certificate (a
"transferable public key" in the text of RFC 4880) is not an immutable
object -- it consists of a series of packets, and that collection of
packets can change over time (or some people can hold some packets of a
cert and other people hold others, so they see slightly different
certs), though the fingerprint remains constant.

So, including the creation date in the fingerprint means that if you
know the fingerprint and your tools depend on it (or it's included in
things like the signer fingerprint subpacket as modern implementations
do), you've locked down the key's creation date, and it cannot be
modified or replaced in the future regardless of how the certificate
changes.  Also, it cannot seem to be created at one time to some people
and another way to other people.  knowing the cert creation date can
useful because it provides a bound on what kind of signatures are
sensible.  (e.g. a signature made before your key was created is super
fishy).

If your goal is to detect colliding key material, *you can do that too*,
just by looking at the MPIs themselves directly.  But given that the
fingerprint kind of "locks in" the data that it covers, and it can be
handy to know that the creation date of an OpenPGP certificate is
immutable.

does that make sense?

     --dkg



More information about the Gnupg-users mailing list