On 4/08/2015 22:30 pm, Daniel Kahn Gillmor wrote:
On Tue 2015-08-04 04:05:03 -0400, Nicholas Cole wrote:
I'm really struggling to follow what is going on with this whole
discussion! Fingerprints need to be robust enough that creating aritrary
collisions is not feasible. That has always been central to OpenPGP.
Why must fingerprints be collision-resistant? We've always said that
fingerprints need to be preimage-resistant -- that is, if i know your
fingerprint, i should not be able to forge a new key that has the same
fingerprint.
But collision-resistance is a different property: if the fingerprint
mechanism is not collision-resistant, then an attacker can create two
keys with the same fingerprint. Why is this a threat?
I'll bite: A person with two keys can sign a document that holds him,
then announce that it wasn't signed by him. As proof, he can
anonymously publish his other key...
(What does this prove? Well, not a lot but it does spoil the normal
narrative. Part of the success of a system is that it eliminates
spoilers...)
iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp