On Jan 13, 2015, at 2:53 PM, NdK <ndk.cla...@gmail.com> wrote: > > Il 13/01/2015 16:34, David Shaw ha scritto: > >> I like the idea of adding a proper fingerprint to signature packets. I seem >> to recall this was suggested once in the past, but I don't recall why it >> wasn't pursued. > What I don't understand (surely because of my ignorance of GPG inner > working) is what that should add to the security... IOW, if the private > key have been generated by a third party to have a certain fingerprint, > what's the purpose of adding that fingerprint to the signature?
OpenPGP uses the 64-bit key ID to locate keys. If two people have the same 64-bit key ID, it doesn't mean that person A can impersonate person B, but it does mean that if both person A and person B's keys are on a given keyring, the verifying program will not know which key to use to check the signature. Only the right key will actually work for verification, but the program may not be able to find that right key. The fingerprint is a 160-bit key ID - effectively impossible (given today's knowledge) to impersonate. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
