On 05/07/2009 11:45 AM, David Shaw wrote: > On May 5, 2009, at 2:13 AM, Daniel A. Nagy wrote: >> David Shaw wrote: >>> Fingerprints: >>> * Must be human-readable >>> * Needs to be small to be useful >>> * Can collide to some small amount (4880 even documents that they >>> collide in section 12.2) >> >> That's not the fingerprint. That's the key ID. > > A nit, but that really is the fingerprint. The important items here are 1 and 2, which both apply to a fingerprint. Humans need to be able to cognitively compare fingerprints, so they must be both human-readable and small enough to wade through. As for collisions, 32-bit key ids don't collide "to some small amount". They have *massive* collisions because of the small output space. It takes a few hours of compute time on a single modern desktop machine to generate 32-bit keyID collisions against every single key in the public WoT. 64-bit keyids are better, but still nowhere near the collision resistance we should be expecting from tools we expect humans to use to validate content. keyIDs are useful as pointers, but are not at all useful for verification purposes. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature