ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: fingerprint hash material in 12.2.

2007-04-30 13:23:45
from [Jon Callas] [Permanent Link] 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


in section 12.2., the text says, that _the_ two-octet packet length
comes after the 0x99 octet.

Does that mean, that the public key data may not be larger than 65536
bytes?

If so: Is that stated anywhere?
And... is this good? Considering permanently growing key sizes or the
possible existence of practically useful public key algorithms using
(for example) a variable number of integers[1].



I'm only going to answer parts of your question.

This really isn't an issue. Right now, just about everyone uses only  
4k public keys. 4k bits is 512 bytes. Even if you need several 4k bit  
numbers, there's plenty of room.

The long-term issue we face is crypto-balance with 256-bit symmetric  
algorithms. NIST estimates a 15k-bit key to be balanced with AES-256.  
While plenty of people disagree with that, we all agree that we're  
not going to crypto-balance RSA with AES. It would be annoying and slow.

Long term, we're going to move to elliptic curve, and those keys are  
smaller. Crypto-balance would be at about 512 bits, and thus it fits  
in just fine.

However, let me just assume that next week someone invents Magic  
Dingus Encryption, which has the advantage that it is not only ten  
times faster than ECC, but is proven immune to quantum computers as  
well as mental telepathy. The downside is that the public keys are  
128k bytes in size.

In such a case, when we write the RFC for MDE in OpenPGP, we would  
need to state how you compute the fingerprint of an MDE key in that  
RFC. That's it. (And as a matter of fact, when we do ECC for OpenPGP,  
we'll have to specify the ECC parameters for fingerprints in whatever  
RFC specifies ECC for OpenPGP.)

The reason why it specifies in 12.2 the precise length is that in  
OpenPGP there are often many ways to state a length. Thus, we have to  
state precisely how to compute the fingerprint, because don't want to  
end up with a to-may-to/to-mah-to issue in computing fingerprints.  
That's it.

        Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.1
Charset: US-ASCII

wj8DBQFGNkylsTedWZOD3gYRAg3RAKDlqwSCUouchC0yuhyu7NrJ5BgX2ACbBuVB
1ILHD+9b0e6Uyp12R8BybfE=
=ahtF
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  fingerprint hash material in 12.2., Stephan Beyer
Next by Date:  Re: Camellia for OpenPGP, David Shaw
Previous by Thread:  fingerprint hash material in 12.2., Stephan Beyer
Indexes:  [Date] [Thread] [Top] [All Lists]