On 01/17/2011 10:22 PM, David Shaw wrote:
I like this idea. I would do it as "full fingerprint" myself.
The difference in storage between 160 bits and 96 bits is all
of 8 bytes. I think the simplicity of being able to say the
whole fingerprint is in there is worth a measly 8 bytes.
That seems like a reasonable cost/benefit analysis to me.
Do we necessarily need a new subpacket type for this? It
could pretty easily be a notation.
Thereby making it even longer -- how many bytes are you prepared to
throw at the problem? ;)
So with gpg, this is doable already with something like this in gpg.conf:
sig-notation
signer-fpr(_at_)notations(_dot_)openpgp(_dot_)fifthhorseman(_dot_)net=%g
I dislike this aesthetically for 3 reasons:
0) the subpacket is hashed into the signature created, which doesn't
seem necessary.
1) the notation value is in plain text (twice as long as it needs to be)
2) i don't like the notation name being as long as the one i just chose :P
but maybe i'm just being a bit-miser with 1 and 2. And maybe 0 isn't
all that important, either. (is there a way to tell GnuPG to make the
notation subpacket in the unhashed part of the signature?)
i (think i) have signed this message using the above notation name. i'd
be happy to drop that notation name in favor of anything more concise
from a domain with a reasonably stable track record related to this stuff.
If anyone on the list has difficulty verifying my signature as a result
of this notation, please let me know.
David, do you think a patch to interpret a notation like this would be
of interest to GnuPG? Are any other OpenPGP implementations willing or
interested in coming to consensus on a notation name and working on this?
And what should an implementation do if the issuer subpacket and the
"full fingerprint" packet disagree on the last 64 bits?
--dkg
signature.asc
Description: OpenPGP digital signature