Hi > Only the right key will actually work for verification, but the program may > not be able to find that right key.
Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex digits) causing problems for the GPG program only be an issue in an organisational setting, where there is a large number of users sharing that program and where keys are uploaded to/retrieved from key servers using short IDs? For an individual who for example only imports keys with fingerprints (160 bits / 40 hex) and publishes their fingerprint rather than the short or long key ID, how can this risk arise or is there still an issue with key servers? Sandeep Murthy s.mur...@mykolab.com > On 13 Jan 2015, at 20:52, David Shaw <ds...@jabberwocky.com> wrote: > > On Jan 13, 2015, at 2:53 PM, NdK <ndk.cla...@gmail.com> wrote: >> >> Il 13/01/2015 16:34, David Shaw ha scritto: >> >>> I like the idea of adding a proper fingerprint to signature packets. I >>> seem to recall this was suggested once in the past, but I don't recall why >>> it wasn't pursued. >> What I don't understand (surely because of my ignorance of GPG inner >> working) is what that should add to the security... IOW, if the private >> key have been generated by a third party to have a certain fingerprint, >> what's the purpose of adding that fingerprint to the signature? > > OpenPGP uses the 64-bit key ID to locate keys. If two people have the same > 64-bit key ID, it doesn't mean that person A can impersonate person B, but it > does mean that if both person A and person B's keys are on a given keyring, > the verifying program will not know which key to use to check the signature. > Only the right key will actually work for verification, but the program may > not be able to find that right key. > > The fingerprint is a 160-bit key ID - effectively impossible (given today's > knowledge) to impersonate. > > David > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users