I have some comments:
* We're deprecating V3 keys. You should either not mention them, or
mention that they're deprecated.
On the other hand, you could just punt the whole issue by allowing a
fingerprint to just be a string of hex digits. The length tells you
what you need to know. If it's 128 bits in length, it's a V3 key; 160
means V4. Even key ids are implicit based on length. (And with V4 keys,
the key id is just a truncation of the fingerprint.)
* I also don't think you need the 0x. Just define it to be hexadecimal.
The breaker is needed to know that literals in a programming language
are of one base or another. Key IDs and fingerprints come in only one
base. I know it's a MAY. Drop it anyway, because if it's there, an
implementation has to handle both its presence and absence. It's merely
noise.
* I understand why you have the url header, and think it's nice. But
once you have that, (or the key is uniquely identified by key id or
fingerprint) you don't need the algorithm, size, and created fields.
These are merely comments all on their own, and if you have them there,
you have to deal with what happens if they are wrong.
Let's suppose a URL points to my key and the header erroneously states
that it's a DSA key, when it is in fact an RSA key. Now what? What if
the creation time in the header is wrong? Since all that information is
in the key itself, better to just get it from the key.
So to answer the question in section 6, I think you should drop them.
* I think the other open question you have, as to whether someone wants
MIME encodings or not is much more important. At PGP, we're starting to
code that into the certificates themselves, so the encryption mechanism
can do the right thing.
Jon