Re: [openpgp] Fingerprints and their collisions resistance

[Nicholas Cole <nicholas.cole@gmail.com>]

On Thu, Jan 3, 2013 at 10:54 PM, Werner Koch <wk@gnupg.org> wrote:

> On Thu,  3 Jan 2013 20:06, openpgp@brainhub.org said:
>
>
> > export/import control of encryption). Fingerptins are special data
> > structures because they are sometimes input by humans.
>
> Well, humans compare fingerprints but don't enter them.  I doubt that I
> ever did this in the last 20 years.


Yes.  And it is also important that there is a way to 'uniquely' (granted
the *very* small chance of a collision - I think there has been only one
possible collision with SHA-1 fingerprints reported on the gnupg list)
identify keys to other programs.  I suspect that a lot of programs using
gnupg and other implementations expect the fingerprint to be unique.  There
does have to be a reliable way to refer to a particular key.

So fingerprints are compared by humans, but they are also important for
computers too - and probably used more by computers than by humans.  I
don't see the sense in adopting a truncated standard.  Any new fingerprint
is going to be more tedious than comparing SHA-1, but that's the price to
be paid for security.

I suppose that humans will start relying more on the key-id.  I assume that
any new standard would adopt a more collision-resistant key-id.

N.