On May 4, 2009, at 3:24 PM, Daniel Kahn Gillmor wrote:
On 05/04/2009 02:57 PM, David Shaw wrote:
we would have to play length checking games
to guess if they meant hash 4 or 40.
We're still going to have to do a little bit of length-checking games,
to distinguish between traditional SHA1 fingerprints and an
accidentally-truncated version of the newer (and presumably longer)
fingerprints.
We can use the presence of the delimiter dot to tell the difference.
If they've lost the dot, then, well, absent some special knowledge, we
can't really tell the difference between a old-style fingerprint and a
new-style fingerprint that is both accidentally truncated and missing
its delimiter dot. I wouldn't even try.
Note that the current OpenPGP does not attempt to tell the difference
between a V3 fingerprint (32 printed digits) and a V4 fingerprint that
just happened to lose 8 characters in a cut and paste error
somewhere. That's the job of the client (if it chooses to take it on
at all) more so than the job of the protocol.
David