Basic question on GPG Key

Discussion in 'privacy technology' started by dogbite, Jul 3, 2014.

Thread Status:
Not open for further replies.
  1. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I saw mirimir's signature, I was wondering why also the Fingerprint is written.
    Should not be the Key ID enough for getting the Public Key from a directory?

    Thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Yes, the Key ID is enough to find and download the key. But, the fingerprint let's you confirm that the key you get is legitimate.

    When you have gpg display the fingerprint of the key you got from the server, it must match what's shown in mirimir's signature to be valid.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    The Key ID can be spoofed, but not (as far as I know) the full fingerprint.

    By "spoofed", I mean that another key can be generated having the same Key ID. Just keep generating new keys until you find one that matches.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Thanks. It's that realistic? I mean, generating a huge amount of keys until you get that specific ID?
     
  5. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
  6. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Interesting. But how to generate a longer (64-bit or more) key ID?
    In my case I generated my Keys with Mailvelope and they are pretty 32-bit standard ones.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    The Key ID just by definition comprises the last eight characters of the Fingerprint. The only way to fix the problem would be to change the definition of Key ID, perhaps including more of the Fingerprint. But that would probably break stuff.
     
Loading...
Thread Status:
Not open for further replies.