Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
Which is not defined by any standard.
You don't need a standard to tell you that a SHA-1 hash of a certificate is
obtained by taking a certificate and hashing it with SHA-1. Pretty much
everything has supported this for years, typically under the name of
certificate fingerprint.
It will only take a few days until the first wags create multiple different
keys with the same identifier to confuse software.
X.509 has been using this mechanism for about twenty years without any
problems. Sure, someone could do that, but what would they gain by it? The
same wags could create a key with a colliding email address attached to it,
and they've been able to do that for twenty years as well but the world hasn't
ended because of it.
I call this corrupt data. The self-signature would not verify and thus the
key is unusable. Time to remember where you stored the backup.
It's not corrupted, someone just updated their key info, the signatures on the
new key data are all valid. The fact that the exact same key that was used
earlier, with the exact same name/email address attached to it, now has a
totally different identifier associated with it, is a problem with how PGP
identifiers are handled. No data corruption has taken place.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp