[Top] [All Lists]

Re: [openpgp] Fingerprints and their collisions resistance

2013-01-07 01:20:29
On Thu, Jan 3, 2013 at 10:54 PM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:

On Thu,  3 Jan 2013 20:06, openpgp(_at_)brainhub(_dot_)org said:

export/import control of encryption). Fingerptins are special data
structures because they are sometimes input by humans.

Well, humans compare fingerprints but don't enter them.  I doubt that I
ever did this in the last 20 years.

Yes.  And it is also important that there is a way to 'uniquely' (granted
the *very* small chance of a collision - I think there has been only one
possible collision with SHA-1 fingerprints reported on the gnupg list)
identify keys to other programs.  I suspect that a lot of programs using
gnupg and other implementations expect the fingerprint to be unique.  There
does have to be a reliable way to refer to a particular key.

So fingerprints are compared by humans, but they are also important for
computers too - and probably used more by computers than by humans.  I
don't see the sense in adopting a truncated standard.  Any new fingerprint
is going to be more tedious than comparing SHA-1, but that's the price to
be paid for security.

I suppose that humans will start relying more on the key-id.  I assume that
any new standard would adopt a more collision-resistant key-id.

openpgp mailing list