including the entire fingerprint of the issuer in an OpenPGP certification

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Jan 17 18:42:06 PST 2011


Jon Callas <jon at callas.org> writes:

>On the other hand, this has never been a problem. It's harder than you think, 
>because you have to generate a new key each time, which takes a while on RSA.

Only if you want a secure key. For SSH fuzzy fingerprinting the limiting 
factor is the hashing, not the rate at which you can crank out keys, as long 
as you don't mind that the keys aren't very secure. OK, they're not secure at 
all, but that doesn't matter since you're going for spoofing, not a secure 
signature forgery.

Peter.


More information about the notmuch mailing list