[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
From: |
John Clizbe |
Subject: |
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output |
Date: |
Wed, 11 Sep 2013 20:17:59 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 SeaMonkey/2.20 |
Stefan Tomanek wrote:
> Dies schrieb John Clizbe (address@hidden):
>> 2012-10-27: Fixes for machine-readable indices.
>>
>> Key expiration times are now read from self-signatures on the key's UIDs.
>> (KF)
>> In addition, instead of 8-digit key IDs, index entries now return the most
>> specific key ID possible: 16-digit key ID for V3 keys, and the
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> full fingerprint for V4 keys. (JPC)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> IMO having a dedicated entry with the fingerprint is a nice thing to have,
> that's why I am about to patch gnupg and enigmail to display this information
> when searching for keys. It's nice to see that sks uses the longest key id
> possible (so I could remove half of my patch), but I still consider an
> optional
> and explicit entry useful. Standards can be expanded, and nothing changes
> until
> the client explicitly asks for a fingerprint (fingerprint=on).
OK, so this is only a benefit for V3 keys. V4 keys already gives the
fingerprint as the key ID. To quote RFC4880:
"V3 keys are deprecated. They contain three weaknesses. First, it is
relatively easy to construct a V3 key that has the same Key ID as any other
key because the Key ID is simply the low 64 bits of the public modulus.
Secondly, because the fingerprint of a V3 key hashes the key material, but
not its length, there is an increased opportunity for fingerprint
collisions. Third, there are weaknesses in the MD5 hash algorithm that
make developers prefer other algorithms. See below for a fuller discussion
of Key IDs and fingerprints..."
The use of MD5 makes crafted key fingerprint collisions almost trivial. V3 key
ID collisions are already trivially constructed. While you may think it "is a
nice thing to have", you already get the fingerprint from SKS for the vast
majority of keys. The V3 keys your patch addresses have such basic problems
they should probably abandoned. Adding an fpr line to mr indexes is just
redundant.
--
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:address@hidden
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature