Re: including the entire fingerprint of the issuer in an OpenPGP certification

Daniel Kahn Gillmor <> Tue, 18 January 2011 22:18 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p0IMImxV061992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jan 2011 15:18:48 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p0IMImq0061990; Tue, 18 Jan 2011 15:18:48 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.14.4/8.14.3) with ESMTP id p0IMIlLx061979 for <>; Tue, 18 Jan 2011 15:18:48 -0700 (MST) (envelope-from
Received: from [] ( []) by (Postfix) with ESMTPSA id D85C6F987 for <>; Tue, 18 Jan 2011 17:18:46 -0500 (EST)
Message-ID: <>
Date: Tue, 18 Jan 2011 17:18:41 -0500
From: Daniel Kahn Gillmor <>
Reply-To: IETF OpenPGP Working Group <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101213 Icedove/3.1.7
MIME-Version: 1.0
To: IETF OpenPGP Working Group <>
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
References: <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig83637B46A964E7359DF2744A"
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On 01/18/2011 05:05 PM, David Shaw wrote:
> I don't think we want people using other than the consensus fingerprint algorithms and methods.  I suggest we make the first byte a version field, which can be 
> set to '4' today for the current fingerprint, '5' for v5 keys, etc.

Are we talking about versioning the fingerprint scheme, or versioning
the key?  It sounds like a versioned fingerprint scheme, not a versioned
key scheme to me.

If we say '4' means the fingerprinting standard in RFC 4880 (OpenPGPv4)
and '5' means some other fingerprint scheme then we're effectively
creating a new registry to be managed by IANA, right?

I have no objection to that (and presumably it would be an exceptionally
slow-growing registry) but it'd be good to be clear about what we're doing.

I'd just as soon name the notation issuer-fpr4@whatever.example for the
current fingerprint and then name a new notation
issuer-fpr5@whatever.example when that happens, reusing the existing
notation registry.

(or, if this works and we want iana to allocate a "global" notation
title, just ask for "issuer-fpr4" now, an "issuer-fpr5" later)

This is all fiddly syntax choices, of course, without much importance,
other than avoiding (current and future) bureaucratic overhead.

> I suppose we could skip that field and detect version based on size,
> but why use heuristics when we can know for sure with a version byte?

We could also be sure if the name of the notation is precise enough.