IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Werner Koch <wk@gnupg.org> Wed, 29 July 2015 15:24 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 488781A9068 for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 08:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnFOtwRQY3tg for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 08:24:35 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C2151A90C8 for <openpgp@ietf.org>; Wed, 29 Jul 2015 08:10:26 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZKSzv-0001LE-Oe for <openpgp@ietf.org>; Wed, 29 Jul 2015 17:10:23 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZKSwQ-0005De-1F; Wed, 29 Jul 2015 17:06:46 +0200
From: Werner Koch <wk@gnupg.org>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Date: Wed, 29 Jul 2015 17:06:45 +0200
In-Reply-To: <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> (Phillip Hallam-Baker's message of "Wed, 29 Jul 2015 10:31:22 -0400")
Message-ID: <87si870zqy.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/OMBtG_NFAlvbyo2i4fQlLkCiBCY>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 15:24:37 -0000

On Wed, 29 Jul 2015 16:31, phill@hallambaker.com said:

> On Wed, Jul 29, 2015 at 4:37 AM, Werner Koch <wk@gnupg.org> wrote:

>> OpenPGP does not specify a user interface but the wire format.
>> Obviously we use the most compact format there which is the plain binary
>> format.  The questions are
>>
>
> That is how we used to work in the 1990s. Since then we have had to do
> internationalization and such.

I can't see what internationalization has to do with the binary
representation of a fingerprint.  As I said RFC-4880 is about the wire
format and not about user interfaces: It tells how to compute a
fingerprint and that it is the 16 octet MD5 hash or the 20 octet SHA-1
hash.  Now that a fingerprint is printed like this

pub   dsa2048/F2AD85AC1E42B367 2007-12-31 [expires: 2018-12-31]
      Key fingerprint = 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367

is the choice of the concrete implementation.  It is an interesting idea
to have a common way of representing fingerprints to the user or in an
URL but that is not in the scope of RFC-4800bis.

> Yes, totally. I am suggesting we put code points in for the SHA-2-512
> digest and the SHA-3-512 digest.

Until now we have bound the format of the fingerprint to the version of
the public key format.  The fingerprint for OpenPGP is a well defined
and internally used property of OpenPGP.  This avoids multiple
fingerprints as we see with X.509 which does not have a specification
for a fingerprint at all.

> My preference is to just truncate and use the inferred length. That allows

By truncation I mean an arbitary truncation like what we do with keyids.
Those 64 keyids are for example used to locally lookup the secret keys
for decryption - there is no need to have security here because it is
just a convenience method (cf. wild card keyids)

> This is the 'domain separation' issue that was mentioned in the meeting.
>
> I believe that we have to be able to revise the algorithm used to revise
> the fingerprint and the format of the data being formatted independently.

Again, OpenPGP does not specify how to format a fingerprint.  That is
and should stay out of scope for _this_ RFC but may be an additional
item for the WG.

> sufficient would be if a completely radical change to the format was being
> considered such as moving all the structures to YANG, CBOR, JSON or JSON-B.

The OpenPGP format is the OpenPGP format and not BER, PER, XML, or JSON.



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email