On Thursday, 6 August 2015, Vincent Breitmoser <look@my.amazin.horse> wrote:
On 6 Aug 2015, ianG wrote:
I'll bite: A person with two keys can sign a document that holds
him, then announce that it wasn't signed by him.
Even though two keys exists with the same fingerprint, a signature made
by one will only check out with that one, so creating ambiguous
signatures is not that simple unless the attacker can also freely choose
which one of the two keys will be used for verification. Also keep in
mind that certificates are made over public key material, not only
fingerprints.
As proof, he can anonymously publish his other key...
Yes, well. He could also publish this key if it wasn't a collided one,
or simply state that it was compromised. Which leads us to the same old
discussion about the usefulness of non-repudiation in practice.
There's actually just a more basic, practical problem. Most gpg tools
assume unique fingerprints. Is it even possible to specify one key rather
than another if both have the same fingerprint?
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp