IETF Logo Mail Archive

Re: [openpgp] Fingerprint requirements for OpenPGP

Derek Atkins <derek@ihtfp.com> Wed, 13 April 2016 14:28 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C077012DDC2 for <openpgp@ietfa.amsl.com>; Wed, 13 Apr 2016 07:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZZy4QMZlUTk for <openpgp@ietfa.amsl.com>; Wed, 13 Apr 2016 07:28:01 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 012D112DDB5 for <openpgp@ietf.org>; Wed, 13 Apr 2016 07:28:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 61DA9E2036; Wed, 13 Apr 2016 10:26:51 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 25547-05; Wed, 13 Apr 2016 10:26:37 -0400 (EDT)
Received: from securerf.ihtfp.org (tacc-24-54-172-229.smartcity.com [24.54.172.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 56A96E2039; Wed, 13 Apr 2016 10:26:35 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460557596; bh=+kl3WXgLX6ziCLebBHYaxASbSnfQhTo8WG/+4MZ/1u4=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=YoR1T8M/ocSUBjZOXa2zqyVdaGood9zDnBSTrY3hDRpazL1pVI5s4Ircshidhv/3r xunowgUe7dbEcGPivIZygm5y7V0Dl+DEtRlwW6Ini0AKYZ088VIJhsrSfODjhYNImT zIyAXSXpPOgBJKym7bea7YHue91X9Qd4SiuUWX18=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u3DER5B0026678; Wed, 13 Apr 2016 10:27:05 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Derek Atkins <derek@ihtfp.com>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net> <sjmbn5e3na2.fsf@securerf.ihtfp.org> <87d1pug303.fsf@wheatstone.g10code.de> <85d83d5bac518c53d7a78d5d049a73ed.squirrel@mail2.ihtfp.org> <87wpo2ehch.fsf@wheatstone.g10code.de>
Date: Wed, 13 Apr 2016 10:27:04 -0400
In-Reply-To: <87wpo2ehch.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 12 Apr 2016 21:51:10 +0200")
Message-ID: <sjmk2k11t53.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/WT4tnmnhj1Cap8t8MKa4nWY3QzE>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 14:28:03 -0000

Werner,

Werner Koch <wk@gnupg.org> writes:

> On Tue, 12 Apr 2016 19:44, derek@ihtfp.com said:
>
>> This would fall under an "internal DB Identifier."  DKG called that out of
>> scope for this discussion topic.
>
> It is not "internal" because it is part of the OpenPGP protocol
> (Signature Packet) and thus visible by all who are verifying a
> signature.
>
> I define "internal" as a property of the implementation - maybe this is
> the misunderstanding.

Probably.  To me the key part of "internal" means "a human never sees
it".  I'm considering "internal" to be "in the data formats", which can
be used between implementations and not just within a single
implementation.

>> There is no human in the loop here.  That means it does not need to be
>> "the same" as the user-visible "fingerprint".
>
> Need not, right.  But adding yet another identifier to a key only leads
> to more confusion and more complex error handling.  I do not expect that
> you want OpenPGP to repeat the error made by X.509.

We already, to some degree, have that issue.  There's the keyID and
there's the fingerprint.  They are different (although with v4 one is
derived from the other).

I think we need to step back again and keep in mind that the (human)
authenticaton fingerprint may (should?) be different from the (internal
or external) database identifer string.

> Salam-Shalom,
>
>    Werner

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email