Re: [openpgp] Followup on fingerprints
Werner Koch <wk@gnupg.org> Thu, 30 July 2015 06:35 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 984831A8028 for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 23:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qmAzjzAVymcN for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 23:35:26 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87051A6FFF for <openpgp@ietf.org>; Wed, 29 Jul 2015 23:35:25 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZKhR6-0002dr-59 for <openpgp@ietf.org>; Thu, 30 Jul 2015 08:35:24 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZKhQJ-0007Cm-Fr; Thu, 30 Jul 2015 08:34:35 +0200
From: Werner Koch <wk@gnupg.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87si870zqy.fsf@vigenere.g10code.de> <873806e1xq.fsf@alice.fifthhorseman.net>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Date: Thu, 30 Jul 2015 08:34:35 +0200
In-Reply-To: <873806e1xq.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 29 Jul 2015 23:53:21 -0400")
Message-ID: <87k2ti17d0.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/3P9BS5bRmndwiznz2Ezy-_QEoJs>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 06:35:28 -0000
On Thu, 30 Jul 2015 05:53, dkg@fifthhorseman.net said: > I'm not sure we should try to specify this kind of implementation > shortcut. If a machine has a full fingerprint available to it (as it Please have a look at Public-Key Encrypted Session Key Packets (Tag 1): | The body of this packet consists of: | | * A one-octet number giving the version number of the packet | type. The currently defined value for packet version is 3. | | * An eight-octet number that gives the Key ID of the public key to | which the session key is encrypted. If the session key is encrypted | to a subkey, then the Key ID of this subkey is used here instead of | the Key ID of the primary key. | | * A one-octet number giving the public-key algorithm used. This requires the 64 bit key id. I doubt that anyone want to change this basic packet - implementations would need to implement two different types of these packet for no real benefit. The ECDH algorithm also needs a 20 byte identification of the key and thus we need a second truncation type here for non-SHA-1 fingerprints. Thus having a way to compute a keyid from a fingerprint is required. Quite some time ago this has already been discussed and the suggestion was for a future fingerprint format to right truncate it instead of the left truncation we do right now. > about this point. In practice, the fingerprint seems to be most often > used when there is a human in the loop, and in that scenario, the The fingerprint is the unique identifier for a key and it has the nice property that it has a fixed length. It is used at a lot of places to represent the key - not necessary for humans. > textual representation of the fingerprint is indeed relevant. If two > humans are comparing fingerprints, or a human wants to pass a Sure this is important for the use of an OpenPGP implementaions. But it is not required for the correct working of the protocol. The protocol is independet of the UI. > The only place where the fingerprint is used explicitly as part of wire > format in RFC4880 is in the designated revoker subpacket, and on this And the ECDH algo. > list in the past there seems to have been no objection to replacing that > with a full public key packet as a way of avoiding concerns about weak I see no reason to do this. It would require a lot of changes in existing code because both method will need to be supported for backward compatibility. If also does not ease the real complexity which is to evaluate whether that key is still valid (not revoked, not expired etc.). Supporting in addition a new type of fingerprint is much simpler. > The other place where a fingerprint is used concretely is in HKP, as a > lookup string. But again, here, it's not a bit-for-bit wire format. > The fingerprint in hkp is transmitted as an ascii string of hexadecimal, > which is human-readable (to map to an HTTP query parameter that a human This just an encoding required by the keyserver protocol. It is not intended for humans. > As a result, it looks to me like a visual/textual representation of a > fingerprint could be in-scope for a 4880bis, if the WG wants to take it If we begin to extend the scope to the UI we have no reason to reject other UI things. I do not think this belongs into RFC4880bis. The human readable format of a fingerprint should either be in implementations hints or in a separate RFC. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Wyllys Ingersoll
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Peter Pentchev
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Bill Frantz
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Bill Frantz