On 4/7/16 at 11:39 PM, wk(_at_)gnupg(_dot_)org (Werner Koch) wrote:
On Wed, 6 Apr 2016 20:15, brynosaurus(_at_)gmail(_dot_)com said:
1. What fingerprint scheme(s) should OpenPGP move to going forward?
A SHA-256 hash of the artificial OpenPGP key packet as we use it right
now. The open question is whether to
- include a creation timestamp,
- a timestamp but fixed to 0 (as Google End-to-End does),
- some other static info data to surely separate that fingerprint from
other protocols fingerprint using the same key (i.e. token based)
- no creation timestamp
If we use the string, "PGP Fingerprint", or some such, we get
pretty good protection against cross protocol confusion. That
string could go in the former timestamp field.
You describe how a fingerprint is presented to the user. This has been
out of scope for OpenPGP. Implementations have settled for a de-facto
standard outside of the protocol. I think we should keep it this way
and at best give only a suggestion for a human readable format.
Humans are bad at comparing fingerprints; this should in general be left
to the software and additional protocols to establish a connection
between an identity and a key/fingerprint.
Bryan discussed the issue of verifying keys via fingerprints
from e.g. business cards -- a procedure I have actually
performed. And I verified all of the characters in the finger
print too. :-)
This use case makes a strong case for a standard print format
for fingerprints, so a fingerprint from one application can be
input to another application for verification (a very good idea
Werner), or in true desperation, eyeball verified.
I do not see this use case going away because it allows people
to eliminate third parties (e.g. web of trust or CAs) and reduce
the number of different actors they are depending on for their security.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Re: Hardware Management Modes: | Periwinkle
(408)356-8506 | If there's a mode, there's a | 16345
Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos,
CA 95032
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp