On Tuesday, 4 August 2015, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Tue, 4 Aug 2015 04:42, look@my.amazin.horse said:
And the actual attack is "slightly weaker non-repudiation"?
... when using a truncated fingerprint.
Why should anyone truncate a fingerprint from 20 bytes to 13 bytes?
This is an arbitrary value in between the known weak 8 byte keyids and
the full 20 byte fingerprints for which we expect that in our lifetime
collisions can be
I'm really struggling to follow what is going on with this whole
discussion! Fingerprints need to be robust enough that creating aritrary
collisions is not feasible. That has always been central to OpenPGP. If
that creates headaches for user interfaces then we will have to find ways
to deal with that, but that is a separate discussion.
I thought that there were some well established, secure as far as anyone
knows, hash algorithms. We've many years experience of the problems of
including or not including various extra bits of information along with the
key material itself, so doesn't the WG just need to pick one of the
candidate algorithms and have done with it?
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp