On Jan 18, 2011, at 12:48 PM, Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree. Further I am not sure whether we should do this full
fingerprint proposal right now or better wait for SHA-3. If we would
settle now for a new fingerprint signature subpacket we will for sure
need to revise that for SHA-3. We would need to maintain code for the
current fingerprint as well as for a SHA-3 for a little eternity.
If we combine it with a hash-independent fingerprint -- e.g., first byte is
an algorithm ID, others are the actual hash -- then we can put it in now and
then run with it.
Rather than first byte being an algorithm ID, how about first byte being the
version of the fingerprint? So, it would be "4" for the current fingerprint,
"5" for whatever we come up with later, etc. If it is an algorithm ID, then we
could end up with two different people encoding their fingerprints in two
different ways, and have to support reading that in the clients.
David