[107475] in Cypherpunks
Re: PGP Fingerprint
daemon@ATHENA.MIT.EDU (Anonymous)
Thu Jan 14 20:43:15 1999
Date: Fri, 15 Jan 1999 02:20:14 +0100
From: Anonymous <nobody@replay.com>
To: cypherpunks@einstein.ssz.com
Reply-To: Anonymous <nobody@replay.com>
> See the FAQ entry that someone else posted for what is wrong with pgp2.x
> fingerprints.
Does the problem affect only the 2.x scheme (which is what I thought when I
posted) or do fingerprints generated by later versions share the same
affliction?
Also, is the hash used in key signing for affected versions a complete one
(i.e., including all necessary info)?
> As far as PGP format goes, adding the length field into the digest would go
> along way towards fixing it. (Length fields for pgp big int representation
> is big endian 16 bit word representing length of following big int in
> bits).
>
> Peter Gutmann suggested using the ASN.1 representation for an RSA key, as a
> more portable way of doing it (compatible with x509).
It's also more general (or maybe that's the same thing you're saying): if you
make a habit of hashing something you could really use to encrypt a message,
there's no way you could make a similar mistake doing fingerprints even if
you're using a different PKC -- for what that's worth.
