Re: including the entire fingerprint of the issuer in an OpenPGP certification

David Shaw <> Tue, 18 January 2011 21:45 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p0ILjRiP060842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jan 2011 14:45:27 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p0ILjRQ2060841; Tue, 18 Jan 2011 14:45:27 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.14.4/8.14.3) with ESMTP id p0ILjPWH060836 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Tue, 18 Jan 2011 14:45:26 -0700 (MST) (envelope-from
Received: from ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id p0ILjEJF018984 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 18 Jan 2011 16:45:15 -0500
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: David Shaw <>
In-Reply-To: <>
Date: Tue, 18 Jan 2011 16:45:14 -0500
Cc: Werner Koch <>, OpenPGP Working Group <>
Message-Id: <>
References: <> <> <> <> <>
To: Jon Callas <>
X-Mailer: Apple Mail (2.1081)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by id p0ILjQWG060837
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On Jan 18, 2011, at 12:48 PM, Jon Callas wrote:

> Hash: SHA1
>> I agree.  Further I am not sure whether we should do this full
>> fingerprint proposal right now or better wait for SHA-3.  If we would
>> settle now for a new fingerprint signature subpacket we will for sure
>> need to revise that for SHA-3.  We would need to maintain code for the
>> current fingerprint as well as for a SHA-3 for a little eternity.
> If we combine it with a hash-independent fingerprint -- e.g., first byte is an algorithm ID, others are the actual hash -- then we can put it in now and then run with it.

Rather than first byte being an algorithm ID, how about first byte being the version of the fingerprint?  So, it would be "4" for the current fingerprint, "5" for whatever we come up with later, etc.  If it is an algorithm ID, then we could end up with two different people encoding their fingerprints in two different ways, and have to support reading that in the clients.