On Wed, 8 Mar 2017 00:06, KellerFuchs(_at_)hashbang(_dot_)sh said:
Since it's not entirely clear (at least to me) if this means keeping the 20
rightmost octets or dropping octets right of the 25th, not introducing it
is not ideal.
What about this:
-V4 keys use the untruncated 20 octet fingerprint; V5 keys use the
-right truncated 25 octet fingerprint
+V4 keys use the full 20 octet fingerprint; V5 keys use the
+leftmost 25 octets of the fingerprint
Note that the length N of the fingerprint for a version 4 key is 20
-octets. For a version 5 key N is 25 and the fingerprint is right
-truncated to 25 octets.
+octets. For a version 5 key the leftmost 25 octets of the fingerprint
+are used (N=25).
key fingerprint, identifying the key material that is needed for
- the decryption. For version 5 keys the fingerprint is right
- truncated to 20 octets.
+ the decryption. For version 5 keys the 20 leftmost octets of the
+ fingerprint are used.
Also, but I likely missed the relevant WG thread, why truncate the
fingerprint to 200 bits? (Not that this is likely an issue.)
That was a suggestion from the Berlin meeting.
Given that even for SHA-1 no pre-image attack is known, we get quite
some security margin by using 200 bits from SHA-256 over the 160 from
SHA-1.
When a truncated SHA-256 shows weaknesses we only need to replace two
signature subpackets but the fingerrprint won't change.
Due to the use of the 'Issuer Fingerpint' the signatures grow in size by
22 octets which is substantal for ECC signatures. With the full V5
fingerprint this would increase to 25 octets (34 - 9 from the not used
'Issuer' subpacket). By truncating the fingerprint we will only use 18
octets which is even a saving compared to V4 keys.
Shalom-Salam,
Werner
pgpiX3vf1P4NM.pgp
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp