On 02/15/2011 09:22 PM, lists.gn...@mephisto.fastmail.net wrote: > If you have your public key published somewhere, such as on a key > server, the Key ID is a way for other people to unambiguously look up > the full key.
You're quite correct that the key ID provides a handle that references the actual public key, and is not the public key itself. However, the key ID is not guaranteed to be unique. In fact, short key IDs (of the form 0xDEADBEEF) are trivial to find collisions for -- there just aren't enough of them, so the search space is small enough to exhaust with very commonplace hardware. Long-form keyIDs (of the form 0xDECAFBADDEADBEEF) are significantly harder to spoof, but easily within reach of a well-funded organization. the full fingerprint itself (mine is 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9) is much closer to what you describe as an "unambiguous lookup". While the spec counsels that it is also possible for two keys to share a fingerprint, the chances of that happening are believed to be dramatically closer to 0 than the other shorter forms: https://tools.ietf.org/html/rfc4880#section-12.2 Note also that long-form keyID is just the last 16 hex digits of the fingerprint, and the short-form keyID is just the last 8 hex digits. So if you know the fingerprint, you know the other identifiers. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users