-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the explanation.
Jon Callas wrote:
Here's the central question: If Alice and Bob each have a key that by some
coincidence share the same key material, should their keys have the same
fingerprint?
It depends what you want the fingerprint to do. If you want to use
the fingerprint to detect this specific sort of reuse, then you want
them to be the same. If you want the fingerprint to be useful as a
unique index (up to breakage of the hash) for the key and its
signatures, and those signatures incorporate the non-MPI material,
then you want them to be different. I think the latter is far more useful.
[Just so everyone's clear on the indexing problem, here's an example.
Alice creates a key with <time1,MPIs>, and gathers some signatures for
it. Bob later creates a key with <time2,MPIs> and gathers his own
signatures. Charlie receives both Alice's and Bob's keys. Since they
have the same fingerprint, Charlie thinks they're the same, and merges
them together. Whichever timestamp he keeps, Charlie will effectively
destroy the other key -- the signatures based on the key with the
other time won't verify. This is very close to a real-world example:
Charlie is one of many keyservers that assume that fingerprints are
unique; Bob is created by an automated signing agent that (accidentally)
mangled Alice's timestamp.]
But, as I said before, if the point was to remove the creation time
from the key packet entirely (meaning that it wouldn't get hashed into
all signatures, either), then the fingerprint will serve both
purposes. I'd be quite happy with that. Was that the nature of the
proposal for a V5 format?
None of the key management utilities give an easy interface to ask the
question of whether two keys have the same key material by directly
comparing them.
[Actually, GnuPG offers a switch to see the key material. You might
argue that its interface isn't "easy", though. :-]
Suppose Bob takes the key material from Alice's key, and makes a new key
(which he doesn't have the private key to), and claims that one of Alice's
signatures is actually his own. There is no easy way to figure out what's
going on. If the fingerprints were the same, it'd be a snap.
I don't find this at all compelling.
First, if Bob wants to thwart this use of fingerprints, he simply
has to use the same creation time. What does Bob gain by using
a different time in this attack?
Second, there *is* an easy way to figure out that Bob is bogus. His
identity will have no valid self-signature; if you press him for one,
he can't produce it. GnuPG, for one, rejects such things by default;
other tools *should* do the same (or at least note the impropriety loudly).
Alice *can* demonstrate a valid self-signature. If your argument is that
Bob can pull this off by hiding Alice's key, then fingerprints won't
help, either.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPn+NzOc3iHYL8FknEQLRvwCdG1orz8++JoiS/calYr9uS2QfJGQAoMdJ
gMVUPQdwnDADfjHx1sgUU9ow
=96LO
-----END PGP SIGNATURE-----