Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
On Sat, 9 Apr 2016 04:35, dkg(_at_)fifthhorseman(_dot_)net said:
(and there's no reason that OpenKeychain needs to use the fingerprint --
for Ed25519 keys, they could just put the public key itself in the QR
Which would also encourage not to add a salt (creation timestamp) so
that there is no need to somehow also convey the creation timestamp.
Wait, is this for the authentication string or the DB lookup handle? I
still think we're conflating the two. And for an authentication string
I including the additional data is just fine.
When someone hands me the business card I would expect it to contain the
authentication string, not the DB Handle. But there is also additional
data available to me, like the userID (email address).
From a user process point of view I would expect to lookup the key using
the userid and then use the authentication string from the business card
to make sure I got the right key.
At this point, including the metadata (timestamp) in the authentication
string is fine, because I have the public key certificate including all
the metadata.
If you're doing automated key transfer then you could just use the
Database Lookup Handle. But again, at that point where you have the
handle and need to look up the key, the only question is whether you
have a database or just raw material.
Shalom-Salam,
Werner
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp