Nicholas Cole <nicholas(_dot_)cole(_at_)gmail(_dot_)com> writes:
On Tuesday, 4 August 2015, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Tue, 4 Aug 2015 04:42, look@my.amazin.horse said:
> And the actual attack is "slightly weaker non-repudiation"?
... when using a truncated fingerprint.
Why should anyone truncate a fingerprint from 20 bytes to 13 bytes?
This is an arbitrary value in between the known weak 8 byte keyids and
the full 20 byte fingerprints for which we expect that in our lifetime
collisions can be
I'm really struggling to follow what is going on with this whole discussion!
Fingerprints need to be robust enough that creating aritrary collisions is not
feasible. That has always been central to OpenPGP. If that creates headaches
for user interfaces then we will have to find ways to deal with that, but that
is a separate discussion.
I thought that there were some well established, secure as far as anyone
knows, hash algorithms. We've many years experience of the problems of
including or not including various extra bits of information along with the
key
material itself, so doesn't the WG just need to pick one of the candidate
algorithms and have done with it?
Every hash algorithm is going to have collisions. In an ideal hash you
can find a collision in 2^(N/2) trials where N is the number of bits in
the hash. If you truncate the hash then that reduces N. In non-ideal
hashes it's less effort.
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp