Re: [openpgp] Version 5 key and fingerprint proposal

On Fri, 10 Mar 2017 23:13, joncallas(_at_)icloud(_dot_)com said:

> This is a different suggestion, one about SHA512/t, which has an
> output length of 't' bits. It's a cute little hack that NIST put on
> top of SHA-512 to get a variable-output hash function.
Thanks for the pointer.  However this changes the semantics:

With SHA512/t we need to settle for a certain truncation because the
fingerprint depends on T.  The proposal defines a 32 byte fingerprint
and only uses truncated versions for the two signature subpackets and
the ECDH magic string.  Thus when a SHA-256 truncated to 200 bits shows
weaknesses, we only need to change the signature subpackets to use the
full 256 bits to address this weakness.  The fingerprint however will
not change and there won't be a need to create new keys.

You are right that computing a fingerprint should not be a performance
problem.  Thus we could also use SHA-512 as fingerprint algorithm and
truncate it to 200 bits.  I am actually slightly in favor of using
SHA-512 (but not SHA-512/t).

What do others think:

 - Use SHA-256 and truncated to 200 bits
 - Use SHA-512 and truncated to 200 bits
 - Anything else


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

pgpYhqvh8o1Up.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp