Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]

David Shaw <> Fri, 14 March 2014 02:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CAE061A06C3 for <>; Thu, 13 Mar 2014 19:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LsW1GV4mxBgq for <>; Thu, 13 Mar 2014 19:40:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B5ED51A0700 for <>; Thu, 13 Mar 2014 19:40:29 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id s2E2eLF9011994 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 13 Mar 2014 22:40:22 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: David Shaw <>
In-Reply-To: <>
Date: Thu, 13 Mar 2014 22:40:21 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Vincent Yu <>
X-Mailer: Apple Mail (2.1874)
Cc: IETF OpenPGP <>
Subject: Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Mar 2014 02:40:32 -0000

On Mar 13, 2014, at 9:28 PM, Vincent Yu <> wrote:

> On 03/13/2014 06:02 PM, Jon Callas wrote:
>> My suggestion is that you write up an I-D, and push it.
>> My quick read looks like this is a useful thing, and it would be nice to have. Just as Andrey pushed an ECC draft and there have been others, it'd be a great way to go.
>> As DKG noted, we have a constant collision, but that's not a big deal. That's why we have IANA.
>> 	Jon
> Thanks for your comments. I plan to write up and submit an I-D if no one points out egregious problems with the current proposal.
> In past threads, there were discussions about supporting non-SHA-1 fingerprints [1] and including full issuer fingerprints in signatures [2]. You forwarded to this list a proposal for a new fingerprint [3]. Did anything concrete come out of that proposal or other discussions?
> In my proposal, I am using key IDs (i.e., the rightmost 8 octets of SHA-1 fingerprints) in a new signature subpacket, but I would like to switch to non-SHA-1 fingerprints if there is a standard or consensus about how they should be formatted. This is an opportune time to introduce such fingerprints since backward compatibility is not a relevant consideration.

Changing fingerprints raises a lot of complexity that you may not want tied to your I-D.  I suspect that non-SHA-1 fingerprints will not happen without an accompanying V5 key format.

With regards to your I-D, I recommend using the full fingerprint instead of the 64-bit key ID in your sig subpacket.  That is the least ambiguous way to specify a key today, and while it is V4 specific, it can be easily changed if and when the fingerprint changes, just like the revocation key subpacket will need to be.

(Though see )