On 01/05/2013 11:38 AM, ianG wrote:
Although see 184.108.40.206 & 5.5.2 for interesting comments. Let's ask for
consensus on this point:
Are fingerprints cryptographically secure?
Or are they convenient human introduction handles?
I can live with the interpretation of RFC 4880 that implies that
fingerprints are not cryptographically secure.
IMO, however, it would be beneficial if they were secure at the birthday
I know that there were suggestions by multiple people to store complete
keys. The problems are:
* keys are volatile; as a developer I want, at least internally in my
software, a method to ID the key material; key material is often reused
and traverses X.509 and OpenPGP world
* it's a convenience when the ID is of fixed size (think about database
tables, software memory allocations, etc)
There is an objective need to ID the key material with a hash. I think
at the very least we should spec the algorithm in an e-mail on this
list. It would even be better if this algorithm was supported across
applications, so that the IDs are portable.
openpgp mailing list