ietf-openpgp
[Top] [All Lists]

Non-SHA-1 fingerprints

2009-05-04 17:54:17

Now that I think about the variable-hash fingerprint question a bit, I'm concerned about things like RFC-4398, which uses OpenPGP fingerprints in DNS. There is a fingerprint field there, and it is variable length, but it has no concept of hash algorithm. We'd have to define some standard way to write out a fingerprint in binary with the hash field incorporated.

So given that, I am wondering why we need a delimiter between the hash specifier and the fingerprint data for the human-readable version at all? A written fingerprint is expected to be readable, but not interpretable by a human being anyway, and software doesn't care about the delimiter one way or another.

So rather than 01.23456789ABCDEF.... or MD5-23456789ABCDEF... why not just 0123456789ABCDEF... ?

We already have a concept of variable length fingerprints (V3 = 16 bytes, and V4 = 20 bytes), and this fits reasonably well alongside those two. The rule would be 16 bytes means it's V3, 20 bytes means it's V4, and an odd number of bytes means it's this new format. If you see an odd number of bytes, you pull off the leftmost byte, and that's the algorithm number. The rest of the bytes are the hash value. We can trivially transform a V4 fingerprint into this new format by sticking the value 2 in front of it.

This does, of course, presume that all of our hashes for OpenPGP in the future will generate an even number of bytes.

David