On 1/23/2020 at 5:57 PM, "Kai Engert" wrote:On 22.01.20 15:31, Marcus
Brinkmann wrote:
* The authors could have easily created colliding public keys with
identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
Although I don't know about any attack made possible by owning such
a
pair of keys, the pure existence of a fingerprint collision could
cause
problems in some appliations, triggering potential bugs in code that
assumes fingerprints can never be identical.
Does this mean, anyone can create a key pair that has the same
fingerprint as I have on my business card, by spending that amount of
money?
=====
I have not checked the original paper, but I *think* they were talking
about making a key collision,
with a given 160 bit SHA-1 fingerprint,
but *without* the same name, and e-mail address,
which would be much less of a practical threat.
Anybody, please correct, if I am wrong, and they did include the name
and e-mail in the proposal for a successful collision.
Thanks,
vedaal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp