http://en.wikipedia.org/wiki/Public_key_fingerprint is relevant and describes the use case and vulnerabilities accurately.
We have, I think, three options: - MD5 fingerprinting, with the risk of collisions - a more secure hash, which we must truncate to fit the use case, e.g. first 6 bytes of SHA512 hash - no fingerprinting at all -Pieter On Wed, Oct 16, 2013 at 3:08 PM, T. Linden <[email protected]> wrote: > On Wed, Oct 16, 2013 at 01:59:54PM +0200, Pieter Hintjens wrote: >> However I'm not convinced we can ignore manual verification. If I send >> you my public key and then call you to check whether you got it, how >> are you going to tell me what you got? > > Well, that's an argument. > > Then what about some kind of id? Something like PGP is using, e.g.: > 0xA8960B17? I've got no clue how it's computed but such a key-id is > short enough for user verification. > > > > regards, > Tom > > -- > PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt > S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem > Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > zeromq-dev mailing list > [email protected] > http://lists.zeromq.org/mailman/listinfo/zeromq-dev -- - Pieter Hintjens CEO of iMatix.com Founder of ZeroMQ community blog: http://hintjens.com _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
