Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Dec 2014 14:09:20 +0100
From: Florian Weimer <>
Subject: OpenBSD signify and "fingerprint"

This is just a warning that what OpenBSD's signify tool calls a
“fingerprint” is very different from the concept of a fingerprint in
OpenPGP.  It is just a random 64-bit blob with no relationship to the
raw public key used for signing.  Conceptually, it is similar to the
OpenPGP key ID (it is used as a quick check that public key and
signature match), except that it is even more trivial to forge.

Fortunately, typical usage patterns of the signify tool do not expose
the fingerprint to the user, so there is no immediate temptation to
use it for validating a key (which is the primary use case for
fingerprints in OpenPGP).  It is also short (64 bits) and thus not
very secure to the initiated, no matter how it is computed, but I'm
not fully convinced that this is a sufficient deterrent.

Maybe a different term instead of “fingerprint” could be used to
reduce the potential for confusion.  Something like “key number” or
“key slot” might be appropriate (because these terms do not confer any
identifying property).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.