Daniel Kahn Gillmor writes:
Key ID or fingerprint comparison has been recommended in the past by the
OpenPGP community as a reasonable way that one communications peer can
confirm that they have the "right key".
Ah, good point, so it's a human-factors thing rather than just (say) mapping
a signature to the key that signed it, where even if you can create a
collision to point to a different key the signature check will still fail.
which i'll call the "comparison-verification" practice:
Is it worth mentioning this in the text? The current text just says "this
thing is the fingerprint" with an implicit use elsewhere in the doc of
"the thing used to identify which key is being used", without mentioning its
second, non-protocol use, to verify someone's key.
(Is this still done? When was the last time someone here attended a key
signing party?).
I'm fine with either of these two framings, with a slight preference for
Paul's text as it captures a bit more of the shifting landscape.
I'm happy with Paul's text as well.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp