ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Fingerprint schemes versus what to fingerprint

2016-04-07 01:40:31
On Wed,  6 Apr 2016 20:15, brynosaurus(_at_)gmail(_dot_)com said:

1. What fingerprint scheme(s) should OpenPGP move to going forward?

A SHA-256 hash of the artificial OpenPGP key packet as we use it right
now.  The open question is whether to 

  - include a creation timestamp,
  - a timestamp but fixed to 0 (as Google End-to-End does),
  - some other static info data to surely separate that fingerprint from
    other protocols fingerprint using the same key (i.e. token based)
  - no creation timestamp

The rationale for SHA-256 is that this is the only fast algorithm on all
platforms.

A related question is how to identify the new fingerprint scheme in
OpenPGP objects which store a fingerprint:

  - Implicit by the length of the fingerprint,
  - or by a prefix byte with the hash algorithm,
  - or by a prefix byte with the key version number,
  - or by a prefix byte with the length of the fingerprint.

All but the first options allow to store a truncated fingerprint in some
object (the forthcoming Issuer-Fpr signature subpacket, the updated
Revocation Key subpacket).  I tend to prefer the second option because
this reflects existing usage:

  5.2.3.25.  Signature Target

   (1 octet public-key algorithm, 1 octet hash algorithm, N octets hash)

The public-key algorithm byte does not make much sense, though.

2. What exactly should the OpenPGP “application” fingerprint with that scheme?

To clarify, I propose to define a “fingerprint scheme” as an algorithm
that takes a raw octet string and produces an ASCII string of some

You describe how a fingerprint is presented to the user.  This has been
out of scope for OpenPGP.  Implementations have settled for a de-facto
standard outside of the protocol.  I think we should keep it this way
and at best give only a suggestion for a human readable format.

Humans are bad at comparing fingerprints; this should in general be left
to the software and additional protocols to establish a connection
between an identity and a key/fingerprint.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp