On 06/06/2014 04:19 AM, Cpp wrote me privately (but later OKed publication): > On 6/5/14, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: >> there is a link to an explanation about it. you can read the rationale >> for it here: >> >> http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234 > > Yes, that is where I got it from. > > I am aware of the discussion thread at gmane. In fact I've read the > entire chain before posting here, but I still didn't fully understand > it. It seems to be some advanced way to distinguish keys via full > fingerprints, but it doesn't seem to be a standard yet. By the looks > of it, it's more like a temporary feature or a placeholder for > something else. The big question is whether I should add it to my key. > The article above seems to think so though I'm not sure how useful the > feature really is considering the fact that it's not that widespread.
including this notation allows a remote peer who receives a signed message from you to reliably distinguish between two cases: 0) this signature is bad 1) this signature status is unknown and i just don't have the right key Without the extension, a signature verification process has no way to determine which of these scenarios is the correct one when the signature doesn't appear to validate. Without the extension, an attacker willing to do a fair amount of work (2^64 operations -- not out of reach of an organization willing to devote some time and resources) can create a key with a colliding long keyID. If the party verifying a signature is verifying against the new/colliding key instead of the proper key, then all the signatures will appear in this broken state. few OpenPGP signature-verifying tools make this check currently; but your messages may be verified by systems that you don't know about (including systems in the future). If you want to provide those tools with an way to reliably distinguish between the two cases, you should use the notation. Regards, --dkg
pgpWBaFE3Fr6z.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users