Re: [openpgp] New fingerprint: to v5 or not to v5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 10 October 2015 02:11 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F5831B52CD for <openpgp@ietfa.amsl.com>; Fri, 9 Oct 2015 19:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBXd0WgesQgB for <openpgp@ietfa.amsl.com>; Fri, 9 Oct 2015 19:11:47 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8881B52C9 for <openpgp@ietf.org>; Fri, 9 Oct 2015 19:11:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1444443108; x=1475979108; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=6SrJ+OZ0jjOOFsBc57lNYpgohQhGxZ9e4WDXzDZIyI4=; b=d6UzVia4t6v1CW840/XJT8hQ5PkxZCFJTt3n5bS8WInl6z8J/AiGDifG QzR8nhiWTz6Udh0dk3aMOtr2mlNLELfihMrUTsIzX4k7EHka5nQRBskGg +WkeSaDR6Gl6hhjzGdxMbXXjaQpJE8vADx6bNBsWAXZciuh/PjU7iykVZ N4aXRpEMF/hpEY7hcUOQ/At4BWo4LGwH5CBXMTJ+Wdq4P5xTvIqdJMLe7 fGC3g0bkxBH7faESTeC9sG3/Q7mMy+N9JK5g7Q9FxNDMIVgW/10xC9pY9 NIovcQAG4EF4azXvH8h5BmQmP715r5/vbGq+SHTdiOzN9Zrt7RLjBo7Sk w==;
X-IronPort-AV: E=Sophos;i="5.17,661,1437393600"; d="scan'208";a="47643049"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe3.UoA.auckland.ac.nz) ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 10 Oct 2015 15:11:44 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Sat, 10 Oct 2015 15:11:43 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, ianG <iang@iang.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] New fingerprint: to v5 or not to v5
Thread-Index: AQHQ/2GfGRFnZAPwNU68Rcs3/4z3Np5cGCKAgAaUTwCAAVZniA==
Date: Sat, 10 Oct 2015 02:11:42 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B2EE19@uxcn10-5.UoA.auckland.ac.nz>
References: <878u84zy4r.fsf@vigenere.g10code.de> <87fv1xxe5w.fsf@alice.fifthhorseman.net> <87r3lgcup8.fsf@vigenere.g10code.de> <CACsn0c=-LKagSqTbgOV1W4Gu4u-f6vpVq82-nWSLGogjoeFKeg@mail.gmail.com> <CAMm+LwjeKDKnN2ZAisbKhWVS4kwCEm_VvcZ1MtftYzEJQpGdhg@mail.gmail.com> <87y4fi5wa9.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B278ED@uxcn10-5.UoA.auckland.ac.nz> <8737xp5z45.fsf@vigenere.g10code.de> <56128637.6030504@iang.org>,<87wpuvx4o1.fsf@alice.fifthhorseman.net>
In-Reply-To: <87wpuvx4o1.fsf@alice.fifthhorseman.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/BJuzKDtx1D5fcpueebFefPML3nA>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 02:11:49 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> write:

>For X.509, we do have certificate fingerprints, but they turn out to not be
>particularly useful.

Actually they're very useful if you're doing proper checking in your PKI (so
not relying on commercial CAs or any of the X.500/X.509 folderol that doesn't
work), you either fingerprint the cert(s) you expect to see (e.g. for securing
a web service for a mobile app) or the CA cert that you rely on to issue certs
you can rely on. You can also use them for cute things like self-certifying
URLs, the first part of the FQDN is a hash of the cert at that location.

Peter.