Re: [openpgp] Followup on fingerprints

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 August 2015 19:19 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC9B1A8F45 for <openpgp@ietfa.amsl.com>; Thu, 6 Aug 2015 12:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_MURBAdqjvX for <openpgp@ietfa.amsl.com>; Thu, 6 Aug 2015 12:19:30 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CCAEC1A8AF4 for <openpgp@ietf.org>; Thu, 6 Aug 2015 12:19:30 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 8E356F984; Thu, 6 Aug 2015 15:19:28 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id AADF920044; Thu, 6 Aug 2015 21:19:28 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Nicholas Cole <nicholas.cole@gmail.com>, Vincent Breitmoser <look@my.amazin.horse>
In-Reply-To: <CAAu18hcnjnZjwZn-uPO936CHDABn_HmqOibtsrBC7Ya7b-93Lg@mail.gmail.com>
References: <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com> <87a8udd4u6.fsf@alice.fifthhorseman.net> <sjm61503182.fsf@securerf.ihtfp.org> <CAMm+LwgEVySpfL-iN2uzX-4tu7R+isDkHE9D8uAeLTxxd4VxqQ@mail.gmail.com> <sjmwpxc1kbv.fsf@securerf.ihtfp.org> <CAAS2fgR6LYck+km5Ze6S9z65ZgsR61d8md2CqojDaceZ0OrZrw@mail.gmail.com> <9c2c8c5df67c83925d7e3c21fe943483.squirrel@mail2.ihtfp.org> <20150803173231.GG3067@straylight.m.ringlet.net> <2439a89a6c4eb70044e144406a732482.squirrel@mail2.ihtfp.org> <87io8v7uqt.fsf@littlepip.fritz.box> <87h9of7p0e.fsf@littlepip.fritz.box> <87wpxbtuwk.fsf@vigenere.g10code.de> <CAAu18hez49oVhTwRLqv=3rifbg5q5+EqsSvBO0c-ezq+M_Qmyw@mail.gmail.com> <87614u4u7q.fsf@alice.fifthhorseman.net> <55C3836D.2040104@iang.org> <87d1z0763m.fsf@littlepip.fritz.box> <CAAu18hcnjnZjwZn-uPO936CHDABn_HmqOibtsrBC7Ya7b-93Lg@mail.gmai l.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 06 Aug 2015 15:19:24 -0400
Message-ID: <87lhdow7gj.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/W9pqHXGKRXqdO68Sgf3S_MGhopQ>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, ianG <iang@iang.org>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 19:19:32 -0000

On Thu 2015-08-06 12:12:48 -0400, Nicholas Cole wrote:
> There's actually just a more basic, practical problem. Most gpg tools
> assume unique fingerprints. Is it even possible to specify one key rather
> than another if both have the same fingerprint?

but what are the consequences of this?  If there's a specifically
troubling scenario that puts other people at risk, we should be able to
describe it.

If there isn't, then this suggests that actually using two keys with the
same fingerprint is a problem only for the person who holds the two
keys, right?

But that person has an easy (much cheaper in fact) way to proceed
without the problem: don't make a fingerprint collision in the first
place!

        --dkgp