Forging fingerprints/KeyID?
Atom Smasher
atom at smasher.org
Tue Nov 29 12:00:32 CET 2005
On Mon, 28 Nov 2005, David Shaw wrote:
> On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
>> Ah,.. tanks :-)
>> So it sould be completely enough to verify Name/eMail and the
>> Fingerprint when signing another key,... and I don't have to compare
>> creation date/keysize/algorithm/etc., right?
>
> Not unless you're signing a PGP 2.x (v3) key.
==================
how feasible would it be for an attacker to create a small (512 bit?) v4
key with the same key id as a target key (irrelevant of the size and
algorithm of the target key)?
it may not be practical today to do this with a fingerprint collision, but
i subscribe to the theory that it doesn't hurt to check the size and
algorithm of keys before signing them.
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Written laws are like spiders' webs, and will, like them,
only entangle and hold the poor and weak, while the rich
and powerful easily break through them."
-- Anacharsis - (Scythian philosopher - 600 B.C.E.)
More information about the Gnupg-users
mailing list