On Mon, 28 Nov 2005, David Shaw wrote:
On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
Ah,.. tanks :-)
So it sould be completely enough to verify Name/eMail and the
Fingerprint when signing another key,... and I don't have to compare
creation date/keysize/algorithm/etc., right?
Not unless you're signing a PGP 2.x (v3) key.
==================
how feasible would it be for an attacker to create a small (512 bit?) v4
key with the same key id as a target key (irrelevant of the size and
algorithm of the target key)?
it may not be practical today to do this with a fingerprint collision, but
i subscribe to the theory that it doesn't hurt to check the size and
algorithm of keys before signing them.
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Written laws are like spiders' webs, and will, like them,
only entangle and hold the poor and weak, while the rich
and powerful easily break through them."
-- Anacharsis - (Scythian philosopher - 600 B.C.E.)
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
