I am more and more convinced of the wisdom of Alan Karp when he
insists that any system which uses a hash must specify what
happens when there is a hash collision. He points out that
anytime data longer than the hash output is hashed, there is the
possibility of a collision, which is true when calculating key fingerprints.
Now the consequences may be severe or trivial. If a PGP message
routing application uses the fingerprint to select the
destination, the consequence of a collision may be as trivial as
routing messages to recipients who can't decrypt them, or the
more serious consequence of not sending messages to the
recipient who can decrypt them. The exercise of figuring out
what will happen results in better design.
There has also been an undertone of, "If we can't come up with
an attack, there aren't any." in this thread. I find this
attitude very dangerous as new classes of attacks (e.g. power
analysis) are constantly being discovered.
I would suggest wording in the security considerations section
something like:
"During the design process, any application using key
fingerprints SHOULD characterize the consequences of a
fingerprint collision on the application's security and
implementation integrity, particularly when using fewer bits
than the output of the fingerprint hash."
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | Ham radio contesting is a | Periwinkle
(408)356-8506 | contact sport. | 16345
Englewood Ave
www.pwpconsult.com | - Ken Widelitz K6LA / VY2TT | Los Gatos,
CA 95032
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp