Daniel A. Nagy wrote:
On Thu, Mar 13, 2008 at 09:26:32PM +0100, Florian Weimer wrote:
* David Crick:
How much enthusiasm is there for this? Enough to generate
some consensus? Is there a business case for a redesign?
"doesn't use SHA1" sounds like a good V5 business case....
Yes, some of us do check-list based security, and not having to rely on
SHA-1 is helpful in this area.
And while we are at it, I would suggest to express V5 fingerprints (as well
as key IDs) either in octal or in decimal. This is not a cryptography issue
(*), but a usability issue on (typically mobile) devices with numeric-only
keypads. As an added benefit, it would make the keyID ~ telephone number
metaphor more sustainable.
For such a decision, OpenPGP could earn the ethernal gratitude of the entire
telecom industry.
I cautiously agree with this.
The old idea of hex and base64 was about saving bits and
aligning with the soul of the computer. Those ideas are
anachronisms with modern capacities, and with modern users.
(Also, in both SSH and PGP, we have seen difficulties with
key identification ... with different varieties of
expression being incompatible. This failure has slowed down
and probably killed the ability to check public keys easily,
a major tenet of opportunistic cryptography.)
So it would be nice to create one unified way. Something
like, all key Ids are expressed as parts of ordinary base-10
numbers of the formal SHA-512 hash of the key. The key Id
is always read from the left side of the full hash. If you
want more discrimination you read off more digits. The size
of the number tells you the discrimination.
("something like" being a thought experiment, not a serious
suggestion to start coding ;)
iang