ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Fingerprints

2015-05-06 13:38:34
On Tue, 2015-05-05 at 21:34 -0400, Phillip Hallam-Baker wrote: 
I don't think so. Particularly if we are going to Base32 encoding and
make sure that there is no confusion between the legacy SHA-1
fingerprints and the new ones.
Which is easily achieved when we add some algo/version qualifier as it
was propsed before.


Which is why I would like to move to a fingerprint format that can be
used with any protocol. Do it once, do it right and we don't have to
do it again.
In principle I'd agree... apart from that I don't believe we'll never
have to do it again (in the sense of exchanging the algo).

However, as for the "core" standard I'd still only specify a simplest
form of a fingerprint string format.
e.g. something like
<algo/version>:<FPdata>
and then for the "current" algo/version e.g.
0:<base32 of the SHA3-512 FP>
(i.e. the length would be dependant on <algo/version>.

Any further specifications, like how to map this into URLs or that like
should probably go into a separate RFC.
As should any further "formats" like a QR code representation of the FP.


We do not even need to decide on a strength. Just make is so that the
number of significant bits is however many bits that are provided. We
can all use SHA-2-512 or SHA-3-512 and truncate to 125, 150, 250...
bits as the application requires.
I'm a bit sceptical about that... I think we rather should specify some
lengths/format and at least not encourage implementations to choose what
they think would be enough (cause then we have folks like GNOME which
take the first and last byte or so *grin*)

Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>