-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jon Callas noted:
The V4 fingerprint *includes* the creation time of the key, which is in most
people's opinion, a flaw.
Could you say why people thought this was a flaw?
I presume that everyone agreed that it must be included in the hashed
material for signatures. Otherwise, the relative times in the various
subpackets would be meaningless. (I think that using relative times
there was ill-advised anyway, but that's another matter.) It would
make the time in the key packet completely worthless -- anyone could
change it arbitrarily without disturbing fingerprints or signatures.
If it were used in signatures but not fingerprints, this would leave us
with the same collating mess as we have for v3 keys. The fingerprint
would not be sufficient as a unique key for indexing key material.
You'd have to tack on this other field, or compare the whole key, or
compute yet another strong hash. I can't see how this is a feature
you'd want to retain from v3 :-(.
Now, if the argument was that the creation time didn't belong in the
key packet at all, I'd have to agree.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPn87Tuc3iHYL8FknEQKtDgCfTZ9EAtTE1knVLhkLow8Uet3OIQ0AoNKQ
6VjqkEcFKkSv9CCRbs1Kvj0z
=cwZw
-----END PGP SIGNATURE-----