In <v04210118b40211aa218f(_at_)[204(_dot_)179(_dot_)130(_dot_)203]>, on
09/12/99
at 07:33 PM, Jon Callas <jon(_at_)callas(_dot_)org> said:
At 1:54 PM -0400 9/12/99, John S. Bucy wrote:
Someone else suggested that the problem of computing a key pair that has a
particular key ID is computationally infeasible. I can't really speak to
this either way but it seems to me like 1: the probability of people
independentally randomly generating the same key pair (or keypairs with
identical fingerprints/keyIDs) is quite small and that 2: it would be
completely impractical for almost anyone (three-letter agencies excluded)
to try to exploit a system by systematically causing keyID collisions.
Yes, it's computationally infeasible to generate a key with a given
keyID. Or more to the point, if you can do it, you have found a flaw in
SHA-1. Publish it, you'll get kudos.
However, because the keyID is 64 bits long, when there are a total of 4
billion keys (0x1 0000 0000) in the universe, there is a 50% chance that
there is some collision of two keyIDs. These two people will be annoyed,
because all the present implementations assume keyIDs are unique.
Actually, IIRC when I asked about keyID's long ago it was the consensus
that they were not unique and should be treated as such. I have been
coding under this assumption ever since.
As far as my particular system goes, it seems like I have two options:
1. Don't worry about key ID collisions. Under most circumstances, I
think that this would probably be ok.
2. Use a "signer's key fingerprint" signature subpacket and leave the
keyID packet there and ignore it. Has the working group considered an
extension to OpenPGP to standardize such a thing (i.e. keyID Must
Implement, fingerprint Should implement)? It seems like this would be
preferable to me defining my own subpacket type for my specific system...
In the long term, (2) is a good idea. But it's not just signatures that
need it. All places where a keyID is used really should move to
fingerprints. But it's not presently in the scope of this WG to fix all
of these.
If you make your own fingerprint subpacket, please use a notation
subpacket for it.
IMHO I just don't see a need for it anytime in the near future. While
there is the chance for collisions (I think it is greater than your
estimate above) it is quite remote on the client end. It seems to me that
this is mostly a server issue though the client software shouldn't choke
on it.
--
---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii
Hi Jeff!! :)
---------------------------------------------------------------