On 01/05/2013 11:38 AM, ianG wrote:
...
Although see 5.2.3.15 & 5.5.2 for interesting comments. Let's ask for
consensus on this point:
Are fingerprints cryptographically secure?
Or are they convenient human introduction handles?
I can live with the interpretation of RFC 4880 that implies that
fingerprints are not cryptographically secure.
IMO, however, it would be beneficial if they were secure at the birthday
boundary size.
I know that there were suggestions by multiple people to store complete
keys. The problems are:
* keys are volatile; as a developer I want, at least internally in my
software, a method to ID the key material; key material is often reused
and traverses X.509 and OpenPGP world
* it's a convenience when the ID is of fixed size (think about database
tables, software memory allocations, etc)
There is an objective need to ID the key material with a hash. I think
at the very least we should spec the algorithm in an e-mail on this
list. It would even be better if this algorithm was supported across
applications, so that the IDs are portable.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp