On 3/24/03 9:07 AM, "Michael Young" <mwy-opgp97(_at_)the-youngs(_dot_)org>
wrote:
Jon Callas noted:
The V4 fingerprint *includes* the creation time of the key, which is in most
people's opinion, a flaw.
Could you say why people thought this was a flaw?
The reason is that if you have two keys that have the same key material,
they will have different fingerprints (unless they also have the same date).
People who believe this is a flaw think that the fingerprint should be a
function of the key material (and perhaps some other constants).
Here's the central question: If Alice and Bob each have a key that by some
coincidence share the same key material, should their keys have the same
fingerprint?
None of the key management utilities give an easy interface to ask the
question of whether two keys have the same key material by directly
comparing them.
Suppose Bob takes the key material from Alice's key, and makes a new key
(which he doesn't have the private key to), and claims that one of Alice's
signatures is actually his own. There is no easy way to figure out what's
going on. If the fingerprints were the same, it'd be a snap.
Jon