On 22.01.20 15:31, Marcus Brinkmann wrote:
* The authors could have easily created colliding public keys with
identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
Although I don't know about any attack made possible by owning such a
pair of keys, the pure existence of a fingerprint collision could cause
problems in some appliations, triggering potential bugs in code that
assumes fingerprints can never be identical.
Does this mean, anyone can create a key pair that has the same
fingerprint as I have on my business card, by spending that amount of money?
Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as
printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you
have obtained the correct key?
Thanks
Kai
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp