Vanity Keys

David Shaw dshaw at jabberwocky.com
Tue Jan 13 21:52:07 CET 2015


On Jan 13, 2015, at 2:53 PM, NdK <ndk.clanbo at gmail.com> wrote:
> 
> Il 13/01/2015 16:34, David Shaw ha scritto:
> 
>> I like the idea of adding a proper fingerprint to signature packets.  I seem to recall this was suggested once in the past, but I don't recall why it wasn't pursued.
> What I don't understand (surely because of my ignorance of GPG inner
> working) is what that should add to the security... IOW, if the private
> key have been generated by a third party to have a certain fingerprint,
> what's the purpose of adding that fingerprint to the signature?

OpenPGP uses the 64-bit key ID to locate keys.  If two people have the same 64-bit key ID, it doesn't mean that person A can impersonate person B, but it does mean that if both person A and person B's keys are on a given keyring, the verifying program will not know which key to use to check the signature.  Only the right key will actually work for verification, but the program may not be able to find that right key.

The fingerprint is a 160-bit key ID - effectively impossible (given today's knowledge) to impersonate.

David


More information about the Gnupg-users mailing list