On Wed, 6 Apr 2016 20:15, brynosaurus(_at_)gmail(_dot_)com said:
1. What fingerprint scheme(s) should OpenPGP move to going forward?
A SHA-256 hash of the artificial OpenPGP key packet as we use it right
now. The open question is whether to
- include a creation timestamp,
- a timestamp but fixed to 0 (as Google End-to-End does),
- some other static info data to surely separate that fingerprint from
other protocols fingerprint using the same key (i.e. token based)
- no creation timestamp
The rationale for SHA-256 is that this is the only fast algorithm on all
platforms.
A related question is how to identify the new fingerprint scheme in
OpenPGP objects which store a fingerprint:
- Implicit by the length of the fingerprint,
- or by a prefix byte with the hash algorithm,
- or by a prefix byte with the key version number,
- or by a prefix byte with the length of the fingerprint.
All but the first options allow to store a truncated fingerprint in some
object (the forthcoming Issuer-Fpr signature subpacket, the updated
Revocation Key subpacket). I tend to prefer the second option because
this reflects existing usage:
5.2.3.25. Signature Target
(1 octet public-key algorithm, 1 octet hash algorithm, N octets hash)
The public-key algorithm byte does not make much sense, though.
2. What exactly should the OpenPGP “application” fingerprint with that scheme?
To clarify, I propose to define a “fingerprint scheme” as an algorithm
that takes a raw octet string and produces an ASCII string of some
You describe how a fingerprint is presented to the user. This has been
out of scope for OpenPGP. Implementations have settled for a de-facto
standard outside of the protocol. I think we should keep it this way
and at best give only a suggestion for a human readable format.
Humans are bad at comparing fingerprints; this should in general be left
to the software and additional protocols to establish a connection
between an identity and a key/fingerprint.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp