Should the fingerprint of a renewed (extended) OpenPGP Key be the same? Is there any documentation on it (RFC)?
Quoting from RFC 4880:
There are many ways possible for two keys to have the same key material, but different fingerprints (and thus Key IDs).
Specially the bold part, so I guess that changing the fingerprint would also result in changing the key ID hence make the key useless, correct?
OpenPGP key IDs (and fingerprints) are used to reference keys when performing several actions like requesting and sending keys, or when verifying ownership. For example, you'd exchange the fingerprint with the key's owner on a separate, trusted channel to make sure the key really belongs to the person that claims to own the key.
The OpenPGP (v4) key ID is an identifier calculated from the public key and key creation timestamp. From those, a hashsum is calculated. The hex-encoded version is called the fingerprint of the key. The last (lower order) 16 characters are called the long key ID, if you only take the last eight characters, it's the short key ID. An example for my own public key:
fingerprint: 0D69 E11F 12BD BA07 7B37 26AB 4E1F 799A A4FF 2279
long id: 4E1F 799A A4FF 2279
short id: A4FF 2279
The primary public key's ID is referenced in the pub line after the key size, in your case the short key ID is CB3AF6E6:
pub 4096R/CB3AF6E6 2015-12-24 [expires: 2016-12-23]
Be aware the eight byte short key IDs do not provide a sufficiently large value space, and it is easily possible to generate duplicate keys through collision attacks. Instead of short key IDs, use at least long key IDs, and when software handles keys, always refer the whole fingerprint.
For more details on how the hash sums are derived, I refer to RFC 4880, OpenPGP, 12.2. Key IDs and Fingerprints which also explains the differences for deprecated OpenPGP v3 keys.
The RFC you're quoting refers to "many ways" to have the same "key material" have different fingerprints (and thus key IDs). First of all, one should discuss what "key material" includes; I'd suggest that the author was referring to the numbers forming the key only, not meta information like the key creation timestamp. Also, I'd not really consider the number of ways to get different fingerprints for the same key material as "many". I can only see two ways (without claiming the list to be complete, at least I should not have missed something obvious):
As already discussed above, v3 and v4 OpenPGP keys have different fingerprint calculation methods, so the same key pair will result in different fingerprints. This is also noted in the RFC:
Perhaps the most interesting is an RSA key that has been "upgraded" to V4 format, but since a V4 fingerprint is constructed by hashing the key creation time along with other things, two V4 keys created at different times, yet with the same key material will have different fingerprints.
Different key creation timestamps will result in different fingerprints. This is what was used by the Evil32 key collision attack to create lots of seemingly different fingerprints using few keys (key generation is expensive, while just iterating timestamps and calculating hash sums is cheap).
Should the fingerprint of a renewed (extended) OpenPGP Key be the same? Is there any documentation on it (RFC)?
[...] I guess that changing the fingerprint would also result in changing the key ID hence make the key useless, correct?
If you extend the validity period, the fingerprint will not change at all -- you're neither changing the numbers forming the "key material", nor are you changing the key creation timestamp.
By extending the validity period, a special self-signature storing the expiry date will be issued. This signature has its own timestamp included, and will override any former expiry dates, so that any other user of OpenPGP will have the new expiry date merged into your old key.
Yes, if the fingerprint changes, your key would be rendered useless (in the sense that it seems to be another key), as the fingerprint is used as reference for both certifications and other usages of keys. But that's merely theoretical, as fingerprints won't change in practice.
Fingerprint is a hash of a public key, if your public key changes then your fingerprint would change as well. Now, I don't believe extending PGP key actually changes anything but expiration date. While fingerprint of a PGP key includes other fields in the hash, I don't believe expiration date is part of the hash.
