On Thu, Jan 3, 2013 at 10:54 PM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Thu, 3 Jan 2013 20:06, openpgp(_at_)brainhub(_dot_)org said:
export/import control of encryption). Fingerptins are special data
structures because they are sometimes input by humans.
Well, humans compare fingerprints but don't enter them. I doubt that I
ever did this in the last 20 years.
Yes. And it is also important that there is a way to 'uniquely' (granted
the *very* small chance of a collision - I think there has been only one
possible collision with SHA-1 fingerprints reported on the gnupg list)
identify keys to other programs. I suspect that a lot of programs using
gnupg and other implementations expect the fingerprint to be unique. There
does have to be a reliable way to refer to a particular key.
So fingerprints are compared by humans, but they are also important for
computers too - and probably used more by computers than by humans. I
don't see the sense in adopting a truncated standard. Any new fingerprint
is going to be more tedious than comparing SHA-1, but that's the price to
be paid for security.
I suppose that humans will start relying more on the key-id. I assume that
any new standard would adopt a more collision-resistant key-id.
openpgp mailing list