> Von: Gnupg-users [mailto:[email protected]] Im Auftrag von > > On Tue 2018-01-30 21:35:57 -0500, FuzzyDrawrings via Gnupg-users wrote: > > Wouldn't it make more sense to hash only the public-key's MPI > > value(s)? That way if an implementation's code fails to generate a > > unique key-pair, it will be known because the fingerprint will be the > > same as some other key. > > > > But as it is, with the Fingerprint hash including the timestamp, any > > "colliding" keys will have different fingerprints and so will go > > undetected. > > > > Is there a good reason for it to be this way? > > This is a great question, and one that i've struggled with over time. I > currently think that including the creation time in the fingerprint is a > *good* thing, but i have felt otherwise in the past.
Including it provides a fast way to generate keys without changing cryptographic material (slow), thus speeds up creating keys with given 32 key-ID, 64 key-id might also be possible. Thus making it easier to provoke human errors (fingerprints where first/last 16 bit are matching another key, identical key-ID) ...
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
