Re: Number of developers, keyring map
On 31 May 1999, Craig Brozefsky wrote:
> > For RSA keys, you want the keyid, fingerprint and keylength. I've
> > seen keys that had identical fingerprints and keyids, but different
> > keylengths.
>
> Yes, the key length is critical. It's because of the ability to vary
> the key length that this attack is possible. MD5 is a hash, and there
> are an infinite number of sequences that will generate any particular
> MD5 identifier. Obviously we are limited to throwing our much much
> much smaller than "infinetly large" keys, but even within the range of
> those keys acceptable to pgp there are ways to generate collisions.
I've sent a mail to the GPG list asking for guidance and some more support
in GPG for this.. It looks like I'll change the field to
21BADABBBF24424C/4966F272D093B493410B924B21BADABBBF24424C/1024D
6DC580F5C7261095/CBD9F4126807E405CC2D27121DF5E86E/1024R
or
4966F272D093B493410B924B21BADABBBF24424C/1024D
CBD9F4126807E405CC2D27121DF5E86E/1024R
Depending on if the keyID is an important distinguishing mark (the 6d..
number is the untruncated keyID) R indicates it is an RSA key and the D is
DSA (to prevent attacks across keytypes)
Here is an interesting question - For all the signing parties that go on,
how are the keys ID'd? I'd hope the use the full bizzillion number ID I
give above, but no tools print the full keyID very easially.
Jason
Reply to: