David Shaw wrote:
Now that I think about the variable-hash fingerprint question a bit, I'm
concerned about things like RFC-4398, which uses OpenPGP fingerprints in
DNS.
For fingerprints, MDC and self-signatures, collision-resistance does not matter,
only the one-way property. So I think it is totally safe to postpone discussion
until SHA3 is selected.
Reviewing the fingerprint is a MAJOR issue, as (parts of) fingerprints are used
as lookup keys in the PKS database.
Here are some points:
I believe that a fingerprint that is longer than 160 bits is pointless; even 160
bits is an overkill causing inconvenience with no tangible benefit in terms of
security over a 128 bit fingerprint.
What does cause some problems, is the fact that the creation date (32 bits) is
included in the fingerprint. It makes sevaral attacks substantially easier than
if the fingerprint was calculated only over the key material and key attributes
(such as key type). Basically, it should be impossible for the same key to have
different fingerprints.
Also, since mobile phones typically have a numeric keypad, it would be nice if
fingerprints and key IDs were numeric-only. It is an increasingly important
platform for OpenPGP, I believe.
--
Daniel
signature.asc
Description: OpenPGP digital signature