On Thu, Sep 22, 2005 at 03:36:36PM -0400, David Shaw wrote:
Well yes, but someone can generate a key with an arbitrary ID today.
Even forgetting the DEADBEEF games that are possible with v3 RSA keys,
there is a program out there that generates v4 DSA keys over and over
until the requested (short) key ID comes up.
As I understand, that's precisely thre reason why long IDs are used as key
pointers. It would take 4 million times longer to generate one of those.
Still possible for a determined, well-funded adversary, but expensive. In
case of v3 keys, it was trivial. In case of the proposed hash function
choice, it will be still expensive, but substantially cheaper (even if
nothing is broken) than with current v4 keys, and in a "brittle" way: a
breaktrough in one case breaks the whole thing.
I think that SHA1 for key identification and fingerprinting is still a
comfortable overkill.
--
Daniel