Re: including the entire fingerprint of the issuer in an OpenPGP certification

David Shaw <> Tue, 18 January 2011 22:43 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p0IMh5Pl062816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jan 2011 15:43:05 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p0IMh5Jw062815; Tue, 18 Jan 2011 15:43:05 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.14.4/8.14.3) with ESMTP id p0IMh38R062807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Tue, 18 Jan 2011 15:43:04 -0700 (MST) (envelope-from
Received: from ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id p0IMh2vK019330 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <>; Tue, 18 Jan 2011 17:43:02 -0500
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1081)
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
From: David Shaw <>
In-Reply-To: <>
Date: Tue, 18 Jan 2011 17:43:01 -0500
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: IETF OpenPGP Working Group <>
X-Mailer: Apple Mail (2.1081)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by id p0IMh48Q062811
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On Jan 18, 2011, at 5:18 PM, Daniel Kahn Gillmor wrote:

> On 01/18/2011 05:05 PM, David Shaw wrote:
>> I don't think we want people using other than the consensus fingerprint algorithms and methods.  I suggest we make the first byte a version field, which can be 
>> set to '4' today for the current fingerprint, '5' for v5 keys, etc.
> Are we talking about versioning the fingerprint scheme, or versioning
> the key?  It sounds like a versioned fingerprint scheme, not a versioned
> key scheme to me.
> If we say '4' means the fingerprinting standard in RFC 4880 (OpenPGPv4)
> and '5' means some other fingerprint scheme then we're effectively
> creating a new registry to be managed by IANA, right?

No, this would be another use of the existing public/secret key version registry.  We already have a registry that covers key versions.

>> I suppose we could skip that field and detect version based on size,
>> but why use heuristics when we can know for sure with a version byte?
> We could also be sure if the name of the notation is precise enough.

Sorry - I wasn't clear enough.  Rather than using a notation, I was saying that if that we should define a "true" subpacket (not a notation) for this, but define the subpacket in a flexible enough way that we won't be throwing the subpacket away (or having to maintain it just for V4) when V5 comes.