I'm in the process of developing a system that uses the OpenPGP message
format to encode messages sent over the network and have run into the
following issue: The spec (RFC2440) states that signatures should contain
a "issuer's key ID" hashed subpacket. I don't understand why this packet
wasn't defined to be an "issuer's key fingerprint" instead. It seems to
me like it would save a huge amount of effort that implementations have to
go to to avoid problems with key ID collisions.
It would make my code substantially simpler if I could have a "signer's
key fingerprint" instead. And as the spec stands, I have to define my own
subpacket type for it. Since the ID can be directly derived from the
fingerprint and they both have distinct, fixed lengths, it seems to me
like you could unambiguously use either one or the other in the same
subpacket without any other indication of which it was; if the length is 8
bytes, its the ID, if its 20 bytes, its the fingerprint. Any thoughts?
thanks
john
-------------------------------------------
John Bucy
"My mind is going....I can feeeeeeel it..."
bucy(_at_)gloop(_dot_)org
-------------------------------------------