ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: decimal fingerprints [was: Re: Non-SHA-1 fingerprints]

2009-05-05 02:32:41
from [Daniel A. Nagy] [Permanent Link] 
Actually, it is not the fingerprint, but the key ID that is typed in, but it is
a NICE feature of OpenPGP at present that the key ID is simply a substring of
the fingerprint. I would hate to lose that.

Daniel Kahn Gillmor wrote:

On 05/04/2009 08:17 PM, David Shaw wrote:

On May 4, 2009, at 6:04 PM, Daniel A. Nagy wrote:


Also, since mobile phones typically have a numeric keypad, it would be
nice if
fingerprints and key IDs were numeric-only. It is an increasingly
important
platform for OpenPGP, I believe.

I think that is a good point and a great idea, but the only reason that
fingerprints and key IDs are printed in hex now is tradition.  There is
nothing in the standard one way or another about how humans should
consume fingerprints.  You could even do it with the current V4
fingerprints: just as my key fingerprint is
7D92FD313AB6F3734CC59CA1DB698D7199242560 in hex, it is equally correct
as 716901811312187285520504099705403090347495794016 in decimal.  The big
problem I see here is that's it's an awfully long number to type into a
mobile keypad.


How often does anyone type in a fingerprint at all?  My impression of
the typical workflow is:


 * read fingerprint from physical media (business card, scrap of paper, etc)

 * search for a key from the public keyservers (usually by User ID).

 * scan list of results for a key with a matching keyid (truncated
fingerprint)

 * fetch selected key from keyserver

 * view/double-check fingerprint of fetched key againt physical media

In this workflow, the only typing done is to enter the user id to search
for (and even that is not always needed on a mobile device, because the
person searched for is may already be in the address book for other
contacts).  if the fingerprint is entered, it's often only the truncated
keyid, which is guaranteed to be much smaller than the fpr in any case.

Making this change to the fingerprint presentation seems huge: are
people expected to change all their business cards, .sigs, web sites,
etc. to show both styles of fingerprint?  or to completely transition to
the new style?  in terms of truncated fingerprints (keyids), how are we
to distinguish between the ones which currently have only digits 0-9 in
hex and decimal-style fingerprints?  This seems like a very costly
tradeoff for the sake of thumbing in 8 decimal characters instead of 8
hex digits.

      --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Non-SHA-1 fingerprints, Daniel A. Nagy
Next by Date:  Re: Changing GPG's default key type, Daniel A. Nagy
Previous by Thread:  decimal fingerprints [was: Re: Non-SHA-1 fingerprints], Daniel Kahn Gillmor
Next by Thread:  Re: Non-SHA-1 fingerprints, Ingo Klöcker
Indexes:  [Date] [Thread] [Top] [All Lists]