Re: [openpgp] rfc3880bis - hard expiration time
2015-04-28 10:59:52On Tue, 2015-04-28 at 11:36 -0400, Phillip Hallam-Baker wrote:
On Tue, Apr 28, 2015 at 10:04 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> wrote:Of course. And in many use cases that's probably sufficient. I see use cases where it is not sufficient so I'd like to re-gain that feature.I think this is a use case but a distinct usecase from the usual interpretation of fingerprint on a businesscard. We need a range of fingerprints for different purposes and that is why I want to have the content-type to be part of the data that is being hashed.
Maybe it's just me but you seem to often mix up different topics... What has the question of hard expiration times to do with the fingerprint formats, content-types or fingerprint use cases?
One use case is to create a persistent identifier that is indexical to a public key they are the holder of. This form of identifier can be a 'life long' identity that is immutable and can be depended no not to change even though the holders name (marriage) and email address are likely to. The way to address that use case is to hash a public key and algorithm identifier and absolutely nothing else and if the identity is going to last a lifetime you probably want that to be just a signature key for an offline root.
With that alone you make hard expiration times impossible, and open the window for attacks based on the expiration time not being hard.
Another use case is to introduce a key that is going to be used to
execute contracts. Here my preferred mechanism would be SAML because
that is what the assertion infrastructure was originally architected
to support.
I can see applications that fall short of binding contracts where it
makes sense to expire the fingerprint and to bind it to both an
expiration date and a subject identity.
If the syntax is PKIX then this would be application/pkix-cert. For
PGP the content type application/pgp-keysigning probably makes sense.
Long term I would want to redo SAML with {} instead of <> and the
result would probably be something like application/json-assertion.
But that is currently at the research stage.
All of that goes seems to go way beyond the scope of OpenPGP. We're a generic crypto message format... I don't think we shold mix OpenPGP with 3rd party protocols, unless these are really *basic* (things like BASE32).
Yet another use for fingerprint technology is in exchanging and displaying status of append only logs.
None of our business,... these are higher level apps which may use our stuff.. We need to provide the means for - encryption - signing / authentication / etc. - timestamping - certifying different kinds of identities (names, images, birthdays, etc.) - build trust networks respectively relate the different identities - revocation, expiration - extensibility of the message format and things like these. But it's not our business to make special things form mail, SAML, and so on. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openpgp mailing list openpgp(_at_)ietf(_dot_)org https://www.ietf.org/mailman/listinfo/openpgp
| Previous by Date: | Re: [openpgp] Fingerprint, Base32 or Base32C?, Phillip Hallam-Baker |
|---|---|
| Next by Date: | Re: [openpgp] rfc3880bis - hard expiration time, Phillip Hallam-Baker |
| Previous by Thread: | Re: [openpgp] rfc3880bis - hard expiration time, Phillip Hallam-Baker |
| Next by Thread: | Re: [openpgp] rfc3880bis - hard expiration time, Phillip Hallam-Baker |
| Indexes: | [Date] [Thread] [Top] [All Lists] |