Sent from Outlook Mobile
_____________________________
From: Bill Frantz <frantz(_at_)pwpconsult(_dot_)com>
Sent: Tuesday, April 12, 2016 9:01 PM
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
To: IETF OpenPGP <openpgp(_at_)ietf(_dot_)org>
I have not heard anyone arguing that we don't need some form of
fingerprint that can be typed into a computer for comparison.
(Several have argued that eyeball comparison is error prone.)
Well, typing random data is error prone too. Perhaps we should
have some form of check digit(s) so the program processing the
type in can flag bad data entry and not confuse it with
fingerprint match failure.
Cheers - Bill
--------------------------------------------------------------
There are many use cases for typing in a fingerprint. I want to send someone a
mail, I read their fingerprint off a business card or they read it over the
phone or I cut n'paste from somewhere.Comparison is more common though. And
that allow us to use 'big dictionary' type approaches.
I am working on a doc, but there are some important points from the WG meeting.
One is that there seems to be a confusion between whether the fingerprint or
the key is a root of trust. If you think it is the key that is the root of
trust then the fingerprint has to be canonical, must not include a date stamp
(like it does at present). If however you regard the fingerprint of the key as
the root of trust then it does not need to be canonical. Invalidating a key in
one context does not necessitate invalidating it in all contexts. The catch
being that when the key is presented for validation, you have to also present
all the original attributes bound to it.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp