ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fw: [ietf-tls] using openpgp with tls

2002-01-17 10:09:25
from [Nikos Mavroyanopoulos] [Permanent Link] 

On 17 Jan 2002 09:52:24 -0500 Derek Atkins <warlord(_at_)MIT(_dot_)EDU> wrote:

Derek, 
 thank you for your comments,


You probably do not want to assume that the fingerprint is 20 octets
long; fingerprints on v3 RSA keys are only 16 octets long.  So, your
definition of PGPFingerprint<20> wont work with all OpenPGP keys.
Since you're already assuming DSS keys by your 20-octet fingerprint,
it should be noted that the v4 (DSS) keyID is just the lower 64-bits
of the fingerprint. (RFC2440: 11.2)

the notation <20> means an upper limit of 20 bytes in TLS (used in RFC2246), 
so v3 fingerprints can be used. (the specified data are encoded with the size).


You probably want to send along the keyID as well as the fingerprint.
Most implementations can only lookup a key based on the keyID.  As a
result, you wont be able to easily lookup v3 RSA keys if you only send
the fingerprint.  I would recommend you change the definition to:

I'm not quite familiar with OpenPGP, and I had the impression that v3
keys were only defined for backwards compatibility. If v3 keys are still 
in use I could use something like:


opaque PGPKeyID<8>
opaque PGPFingerprint<20>

struct {
    PGPKeyID pgp_key_id;
    PGPFingerprint pgp_fingerprint;
} PGPKeyDescriptor;


or


opaque PGPKeyID<8>
opaque PGPFingerprint<20>
enum { v3, v4 } PGPKeyVersion;

struct {
   PGPFingerprint pgp_fingerprint;
   PGPKeyVersion keyVersion;
   select (PGPKeyVersion) {
         case v3: PGPKeyID;
         case v4: {};
   }
} PGPKeyDescriptor;


The first version always sends the keyID (which is redundant in v4 keys).

The second version is a bit complicated, but sends the keyID only for v3
keys. I don't really like it because (at least since today) TLS did not 
have to know about X.509 certificates' version explicitly. I think it's 
better to be that way for OpenPGP keys too.


-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord(_at_)MIT(_dot_)EDU                        PGP key available



-- 
Nikos Mavroyanopoulos
mailto:nmav(_at_)hellug(_dot_)gr
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fw: [ietf-tls] using openpgp with tls, Derek Atkins
Next by Date:  Re: Fw: [ietf-tls] using openpgp with tls, Werner Koch
Previous by Thread:  Re: Fw: [ietf-tls] using openpgp with tls, Derek Atkins
Next by Thread:  Re: Fw: [ietf-tls] using openpgp with tls, Derek Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]