Re: [openpgp] Fingerprint schemes versus what to fingerprint
Bill Frantz <frantz@pwpconsult.com> Thu, 07 April 2016 19:59 UTC
Return-Path: <frantz@pwpconsult.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D3B512D18B for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 12:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRqziZKsKHZ5 for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 12:59:29 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) by ietfa.amsl.com (Postfix) with ESMTP id AA1FB12D17D for <openpgp@ietf.org>; Thu, 7 Apr 2016 12:59:28 -0700 (PDT)
Received: from [173.75.83.83] (helo=Williams-MacBook-Pro.local) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1aoG58-0006Zd-OI; Thu, 07 Apr 2016 15:59:10 -0400
Date: Thu, 07 Apr 2016 12:59:05 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Werner Koch <wk@gnupg.org>
X-Priority: 3
In-Reply-To: <87egahvs5i.fsf@wheatstone.g10code.de>
Message-ID: <r470Ps-10114i-A10719748E97459586178687076BE0F4@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.4 (470)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec799a7516b8e5f8b4be5ac856b7bc5ba10f350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 173.75.83.83
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/LpGFQctOSM_sasp-bPeX3XNj0mU>
Cc: openpgp@ietf.org, Bryan Ford <brynosaurus@gmail.com>
Subject: Re: [openpgp] Fingerprint schemes versus what to fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 19:59:31 -0000
On 4/7/16 at 11:39 PM, wk@gnupg.org (Werner Koch) wrote: >On Wed, 6 Apr 2016 20:15, brynosaurus@gmail.com said: > >>1. What fingerprint scheme(s) should OpenPGP move to going forward? > >A SHA-256 hash of the artificial OpenPGP key packet as we use it right >now. The open question is whether to >- include a creation timestamp, >- a timestamp but fixed to 0 (as Google End-to-End does), >- some other static info data to surely separate that fingerprint from >other protocols fingerprint using the same key (i.e. token based) >- no creation timestamp If we use the string, "PGP Fingerprint", or some such, we get pretty good protection against cross protocol confusion. That string could go in the former timestamp field. >You describe how a fingerprint is presented to the user. This has been >out of scope for OpenPGP. Implementations have settled for a de-facto >standard outside of the protocol. I think we should keep it this way >and at best give only a suggestion for a human readable format. > >Humans are bad at comparing fingerprints; this should in general be left >to the software and additional protocols to establish a connection >between an identity and a key/fingerprint. Bryan discussed the issue of verifying keys via fingerprints from e.g. business cards -- a procedure I have actually performed. And I verified all of the characters in the finger print too. :-) This use case makes a strong case for a standard print format for fingerprints, so a fingerprint from one application can be input to another application for verification (a very good idea Werner), or in true desperation, eyeball verified. I do not see this use case going away because it allows people to eliminate third parties (e.g. web of trust or CAs) and reduce the number of different actors they are depending on for their security. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | Re: Hardware Management Modes: | Periwinkle (408)356-8506 | If there's a mode, there's a | 16345 Englewood Ave www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos, CA 95032
- [openpgp] Keyholder-configurable fingerprint sche… Bryan Ford
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … brian m. carlson
- [openpgp] Fingerprint schemes versus what to fing… Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Bill Frantz
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Derek Atkins
- Re: [openpgp] [FORGED] RE: [FORGED] RE: Fingerpri… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Mark D. Baushke
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Werner Koch