From 02b0785584a3e2b8fcc52bcbdc2bde3e2d5afa2c Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 22 Nov 2023 21:38:33 +0100 Subject: [PATCH] ch4: attempt at clarifying the kind-of-unique-but-technically-not property of fingerprints, to deal with #113 --- book/source/04-certificates.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index c3b3ff1..4f0e559 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -80,7 +80,7 @@ Each OpenPGP component key possesses an *OpenPGP fingerprint*. This fingerprint :name: fig-fingerprint :alt: Depicts a box with white background and the title "Fingerprint of an OpenPGP component key". Inside, another box with a green frame, the title "Component Key", the text "key creation time" on the lower left and a the green public key symbol on the lower right is shown. Below the component key box a fingerprint in a box with a light-yellow background and a yellow dotted line is depicted. The word "Fingerprint" is shown left of the box with the fingerprint and both are connected with a yellow dotted line. -Every OpenPGP component key is identifiable by a fingerprint. Although it's technically possible for different keys to share a fingerprint, [cryptographic mechanisms](crypto-hash) make it exceedingly difficult, if not practically impossible with current technology, to find keys that share a fingerprint. +Every OpenPGP component key is identifiable by a fingerprint. ``` The fingerprint of our example OpenPGP component key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid]. @@ -89,6 +89,12 @@ The fingerprint of our example OpenPGP component key is `C0A5 8384 A438 E5A1 4F7 For example, an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referenced by the 64-bit Key ID `C8B8 6AC4 2455 4239` or formatted as `0xC8B86AC424554239`. Historically, even shorter 32-bit identifiers were used, like this: `2455 4239`, or `0x24554239`. Such identifiers still appear in very old documents about PGP. However, [32-bit identifiers have been long deemed unfit for purpose](https://evil32.com/). At one point, 32-bit identifiers were called "short Key ID," while 64-bit identifiers were referred to as "long Key ID." +```{note} +In practice, the fingerprint of a component key is used like a unique identifier. + +However, formally, a fingerprint is not unique. For every component key, other component keys with the same fingerprint exist, in theory. But because fingerprints are calculated using a [cryptographic hash algorithm](crypto-hash), it is practically impossible to find two different component keys that have the same fingerprint. + ``` + ### Primary key The OpenPGP primary key is a component key that serves a distinct, central role in an OpenPGP certificate: