On Fri, 18 Jan 2002 16:18:46 +0200 Nikos Mavroyanopoulos
<nmav(_at_)hellug(_dot_)gr> wrote:
That is also my understanding. The point is whether it is possible
lookup a key based on the fingerprint. I say yes because for a local
lookup you should index you keyring anyway (think about a server and
millions of users) and then it doesn't matter whether to lookup by
fingerprint or keyID.
[...]
The reason I replaced keyIDs with Fingerprints is that this identifier
is covered by the TLS Finished messages. This means that after the Finished
messages are sent, the parties know that the peer got a key which is
identified
by the fingerprint or keyID. Since keyIDs[1] can be faked, they do not
qualify
for this. If they should be added, they should be added for backwards
compatibility and only for this reason.
On second thoughts, I think there is not an issue for backwards compatibility,
since a client is not required to send the fingerprint (he may send the key).
A holder of a v3 key may send the key instead of the fingerprint, in the
case he suspects that the server could not retrieve the key.
I think this is the most clean solution. If you agree I'll keep the original
version.
--
Nikos Mavroyanopoulos
mailto:nmav(_at_)hellug(_dot_)gr