On 01/05/2013 06:04 PM, Werner Koch wrote:
On Sat, 5 Jan 2013 20:38, iang(_at_)iang(_dot_)org said:
Fingerprints aren't really for the wire, and if you use them for the
wire, you're exercising your right to develop your own security model
and threat model. For my money - don't do that.
The fingerprint is used for an revocation key (5.2.3.15). However, your
policy may simply disallow the use of a revocation key if this is a
threat to you.
iirc, there was a rough consensus within this working group that this
was probably a mistake in RFC 4880, and any future revision of the draft
should place the full key material into the revocation key subpacket
instead of the key's fingerprint.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp