Hi

> Only the right key will actually work for verification, but the program may 
> not be able to find that right key.

Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex 
digits)
causing problems for the GPG program only be an issue in an organisational 
setting,
where there is a large number of users sharing that program and where keys
are uploaded to/retrieved from key servers using short IDs?

For an individual who for example only imports keys with fingerprints (160 bits 
/  40 hex) and
publishes their fingerprint rather than the short or long key ID, how can this 
risk arise
or is there still an issue with key servers?

Sandeep Murthy
s.mur...@mykolab.com

> On 13 Jan 2015, at 20:52, David Shaw <ds...@jabberwocky.com> wrote:
> 
> On Jan 13, 2015, at 2:53 PM, NdK <ndk.cla...@gmail.com> wrote:
>> 
>> Il 13/01/2015 16:34, David Shaw ha scritto:
>> 
>>> I like the idea of adding a proper fingerprint to signature packets.  I 
>>> seem to recall this was suggested once in the past, but I don't recall why 
>>> it wasn't pursued.
>> What I don't understand (surely because of my ignorance of GPG inner
>> working) is what that should add to the security... IOW, if the private
>> key have been generated by a third party to have a certain fingerprint,
>> what's the purpose of adding that fingerprint to the signature?
> 
> OpenPGP uses the 64-bit key ID to locate keys.  If two people have the same 
> 64-bit key ID, it doesn't mean that person A can impersonate person B, but it 
> does mean that if both person A and person B's keys are on a given keyring, 
> the verifying program will not know which key to use to check the signature.  
> Only the right key will actually work for verification, but the program may 
> not be able to find that right key.
> 
> The fingerprint is a 160-bit key ID - effectively impossible (given today's 
> knowledge) to impersonate.
> 
> David
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to