On 03/13/2014 10:26 PM, Daniel Kahn Gillmor wrote:
the OpenPGP fingerprint revision discussions have not yet terminated in
a clear conclusion -- the last stage we reached was was "wait until
SHA-3 has settled down and then reconsider".
You should *not* use keyIDs as distinct identifiers in the subpacket
body of the ring signature design; the use of keyIDs in the traditional
issuer subpacket is a mistake that i hope we don't propagate if/when
OpenPGPv5 ever gets standardized.
Your I-D should have the subpacket body built from either OpenPGPv4
fingerprints, or full public key packets. the search space for key IDs
is too small to distinguish "bad signature" from "i don't have the
appropriate key" with sufficient confidence, which causes all sorts of
nasty UI edge cases.
--dkg
Thanks for the info. I will likely follow your suggestion and modify my
proposal to use V4 fingerprints rather than key IDs.
Vincent
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp