Re: [openpgp] Fingerprint requirements for OpenPGP

Derek Atkins <derek@ihtfp.com> Thu, 14 April 2016 15:18 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE36112D717 for <openpgp@ietfa.amsl.com>; Thu, 14 Apr 2016 08:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUgaNa6n-VhL for <openpgp@ietfa.amsl.com>; Thu, 14 Apr 2016 08:18:06 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E12512E0FB for <openpgp@ietf.org>; Thu, 14 Apr 2016 08:18:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 8D64FE2038; Thu, 14 Apr 2016 11:18:04 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 05784-06; Thu, 14 Apr 2016 11:18:00 -0400 (EDT)
Received: from securerf.ihtfp.org (tacc-24-54-172-229.smartcity.com [24.54.172.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 78E04E2030; Thu, 14 Apr 2016 11:18:00 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460647080; bh=NkeW8GQHdLaVyQiAFeyAlO8lXDZNSlfxzKZP8Ysq/Q0=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=jT97bEGjF8WskWA3N9lvRrwvZDBKzJ9uhlYY2R68vGyt7VrXYDnXhfrMuaKRJKqZQ u0/9sL5RHNltaVOvnW71DAehH4A2K9PY0L0aaILVS7VlVfYHWPhrYyfFw+tzo769HL Pha1jV8ab6IkhlXlfVN1zHd/bTa2ijUU15dVHBC8=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u3EFHrvP011295; Thu, 14 Apr 2016 11:17:53 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Derek Atkins <derek@ihtfp.com>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net> <sjmbn5e3na2.fsf@securerf.ihtfp.org> <87d1pug303.fsf@wheatstone.g10code.de> <85d83d5bac518c53d7a78d5d049a73ed.squirrel@mail2.ihtfp.org> <87wpo2ehch.fsf@wheatstone.g10code.de> <sjmk2k11t53.fsf@securerf.ihtfp.org> <87zisxa4ac.fsf@wheatstone.g10code.de>
Date: Thu, 14 Apr 2016 11:17:48 -0400
In-Reply-To: <87zisxa4ac.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed, 13 Apr 2016 17:59:07 +0200")
Message-ID: <sjmwpo0z0bn.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/0Pix_i6vzfytYDMD1jQIHv5y6vo>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 15:18:13 -0000

Werner Koch <wk@gnupg.org> writes:

>> I think we need to step back again and keep in mind that the (human)
>> authenticaton fingerprint may (should?) be different from the (internal
>> or external) database identifer string.
>
> Okay.  But the new scheme should allow to derive the human
> authentication fingerprint from the internal fingerprint w/o the need
> for additional input.

Well, this then begs the question of whether this internal fingerprint
may include additional information or if it's purely on the actual key
material.  I've lost the mental context for the argument that the
identifier should be on the actual public key and not the "key
certificate".

Provided that the fingerprint is over the "public key certificate"
(i.e., public key parameters plus some additional data such as creation
and expiration times) I have no objection to the "human authentication
fingerprint" being derived from that.

> Shalom-Salam,
>
>    Werner

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant