Re: [openpgp] Fingerprint requirements for OpenPGP

"Derek Atkins" <derek@ihtfp.com> Tue, 12 April 2016 17:45 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE64712D65F for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 10:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AgK3vfhSwzM for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 10:44:59 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2375712D62C for <openpgp@ietf.org>; Tue, 12 Apr 2016 10:44:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id B6154E2030; Tue, 12 Apr 2016 13:44:25 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 17350-07; Tue, 12 Apr 2016 13:44:19 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 04F71E2038; Tue, 12 Apr 2016 13:44:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460483058; bh=/Iv5gWzm+WQhCrR+yjc0+OwSsahr0GloWpy1cQpbCLQ=; h=In-Reply-To:References:Date:Subject:From:To; b=VBMyxlB14WNEd+NwAxerVmQ1Q8Ke1kA39eL7OIdpgPLmh/BpYba/I5liiKq4CYCM4 N87cQFYF7k/LXiInmxNXs+zqKGlQB884BmAfi8ZLy0fEpjNEPMQGAYGF39ON4KYG6b 0gVuarMlFMD/uFKnGzrJiwwmJqRZAcvyg180r4iI=
Received: from 24.54.172.229 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Tue, 12 Apr 2016 13:44:17 -0400
Message-ID: <85d83d5bac518c53d7a78d5d049a73ed.squirrel@mail2.ihtfp.org>
In-Reply-To: <87d1pug303.fsf@wheatstone.g10code.de>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net> <sjmbn5e3na2.fsf@securerf.ihtfp.org> <87d1pug303.fsf@wheatstone.g10code.de>
Date: Tue, 12 Apr 2016 13:44:17 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Derek Atkins <derek@ihtfp.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP <openpgp@ietf.org>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/1cxGgvv5P2ieUJ2m4o2pAxLZJVw>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 17:45:01 -0000

Werner,

On Tue, April 12, 2016 1:18 pm, Werner Koch wrote:
> On Tue, 12 Apr 2016 16:38, derek@ihtfp.com said:
>
>> I would argue that (b) is more important than (a).  Your use-case (a)
>> sounds more like a DB Handle, so arguably it should be elided because
>
> (a) is required to lookup a key for a signature.  Sure this could also
> be done using mail address included in the signature.  But a fingerprint
> can work even if a mail provider re-assigns a mail address (assuming the
> mail provider uses OpenPGP DANE or PKA).
>
> Right now a signature includes only a keyid but for rfc4880bis we will
> add a new subpacket for the fingerprint.

This would fall under an "internal DB Identifier."  DKG called that out of
scope for this discussion topic.

There is no human in the loop here.  That means it does not need to be
"the same" as the user-visible "fingerprint".

> Shalom-Salam,
>
>    Werner

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant