Jon Callas <> Fri, 18 February 2011 18:29 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p1IITS90086386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Feb 2011 11:29:28 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p1IITS1D086382; Fri, 18 Feb 2011 11:29:28 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( [] (may be forged)) by (8.14.4/8.14.3) with ESMTP id p1IITSWU086373 for <>; Fri, 18 Feb 2011 11:29:28 -0700 (MST) (envelope-from
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7CA9A2E060 for <>; Fri, 18 Feb 2011 10:30:53 -0800 (PST)
Received: from ([]) by localhost (host.domain.tld []) (amavisd-maia, port 10024) with ESMTP id 41082-05 for <>; Fri, 18 Feb 2011 10:30:51 -0800 (PST)
Received: from ( []) (Authenticated sender: jon) by (Postfix) with ESMTPA id 342712E05F for <>; Fri, 18 Feb 2011 10:30:51 -0800 (PST)
Received: from [] ([]) by (PGP Universal service); Fri, 18 Feb 2011 10:29:25 -0800
X-PGP-Universal: processed; by on Fri, 18 Feb 2011 10:29:25 -0800
Mime-Version: 1.0 (Apple Message framework v1082)
Subject: Re: DEADBEEF vs SHA1
From: Jon Callas <>
In-Reply-To: <>
Date: Fri, 18 Feb 2011 10:29:24 -0800
Message-Id: <>
References: <> <> <>
To: IETF OpenPGP Working Group <>
X-Mailer: Apple Mail (2.1082)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by id p1IITSWU086377
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

Hash: SHA1

I think it's very important to understand the distinction between the protocol(s) we have and machines that implement the protocols. Those machines can be APIs (e.g. OpenPGP SDK, Bouncy Castly, etc.) applications (e.g. GnuPG, PGP Desktop), appliances (e.g. PGP Universal), but they are not the same thing. It's perfectly fine for an application to do some right thing that is not supported by some protocol.

For example, when I was at PGP Corporation, I used to say a lot that OpenPGP is a standard (and a protocol), but PGP is software. The PGP Software implements the OpenPGP protocol, but it also implements the S/MIME protocol, as well as SSL/TLS, X.509, SMTP, and so on. 

It's with that in mind, the difference between the protocol and software is an important part of this discussion.

I agree with Ian completely that there are people who have old (v3 key) encrypted and signed data that they need to get to. Decrypting data is the most important thing. I'm sure that I have some things in old backups that maybe I'd like to decrypt some day without having to break the key they're encrypted to.

There are a number of ways to deal with this. For example, I could have a copy of PGP 2.6.3 lying around and use that to decrypt my old things. That's only a mild inconvenience. Similarly, PGP or GnuPG could keep v3 keys around *as* *software* for such archival purposes. It might even make sense from a user experience aspect to have them in historic keyrings that are not in one's face every day. Or GnuPG could handle it despite it not being any longer standard, or ....

The bottom line is that a key id in that context is a 64-bit binary key into a database. That's all that it is. Yeah, it's derived with a function, but it's just a key.

IETF RFCs are not programming manuals. They are also not requirements documents for applications. They are descriptions of how to properly interoperate, and that's all. Application designers still have to think.


Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii