On Wed, Mar 08, 2017 at 08:02:54AM +0100, Werner Koch wrote:
On Wed, 8 Mar 2017 00:06, KellerFuchs(_at_)hashbang(_dot_)sh said:
Since it's not entirely clear (at least to me) if this means keeping the 20
rightmost octets or dropping octets right of the 25th, not introducing it
is not ideal.
What about this:
This is very nice: basically as concise, and completely unambiguous
so it doesn't need a definition :)
[...]
Also, but I likely missed the relevant WG thread, why truncate the
fingerprint to 200 bits? (Not that this is likely an issue.)
That was a suggestion from the Berlin meeting.
Given that even for SHA-1 no pre-image attack is known, we get quite
some security margin by using 200 bits from SHA-256 over the 160 from
SHA-1.
When a truncated SHA-256 shows weaknesses we only need to replace two
signature subpackets but the fingerrprint won't change.
Due to the use of the 'Issuer Fingerpint' the signatures grow in size by
22 octets which is substantal for ECC signatures. With the full V5
fingerprint this would increase to 25 octets (34 - 9 from the not used
'Issuer' subpacket). By truncating the fingerprint we will only use 18
octets which is even a saving compared to V4 keys.
Thanks a bunch for the explanation, this makes sense.
Best,
kf
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp