[openpgp] Fingerprint schemes versus what to fingerprint
Bryan Ford <brynosaurus@gmail.com> Wed, 06 April 2016 18:16 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2FFB12D1F0 for <openpgp@ietfa.amsl.com>; Wed, 6 Apr 2016 11:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Kh--F6MEhSA for <openpgp@ietfa.amsl.com>; Wed, 6 Apr 2016 11:16:05 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0759E12D0E1 for <openpgp@ietf.org>; Wed, 6 Apr 2016 11:16:05 -0700 (PDT)
Received: by mail-qg0-x230.google.com with SMTP id f105so19261069qge.2 for <openpgp@ietf.org>; Wed, 06 Apr 2016 11:16:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:message-id:references:to; bh=wJovbGKs5fJe0/nL+cb4A72TTJxeWgiHZ2hrnhcgfrE=; b=AEFylmC9HWbmHc2EQHuITnxctTx3qj/ZJPQTZT6JklG6rWZaA7msZRxVijHX6UjY6r cAEyE5RhNCegBGN2+Tw+CgEiIFVsz7V1bWdEKLaABMhDM7A6LCto4oo1I3mARQUuk1q/ fKMpAQDwji6P7IiRmiZM7fwYiJKWRupP5EaM/9ZfiealIM53BW554qx0QCj6DXHAvf6p QJorpdRtTFrqnLfeY4I/DEgMw6jR9K8e7sKO9re4AkmaBvwkoXITG3aBgAoYLbdeva5C lGIfGW+VXzzMOlIwyp81LM9uUZceznERMq9rnyduJSFQ/wyejptwJhxIxXnqDW8oxPVd M8JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :message-id:references:to; bh=wJovbGKs5fJe0/nL+cb4A72TTJxeWgiHZ2hrnhcgfrE=; b=mnJ6iUT1CZM3jHQbciWQjhPUP67/X8b+runBGp01SrbzB44/qIVBUUjRVkyCylXR2w FTvZLt61nD3qH5jkMkgwaAf02crlzTWYa9yifZSvB3p4p8idoSWb5yyAfcYeY0OHTHyw eBqHHnGV/KrBNESd9dgHXVjXaCsuWNYyS/AfqkPBSBo8erpU2d2nkDvLEbu2CzOGQa/o wDr6KmKmLsh31Hg4rIpxRKvkYBTenD17QJ6SB4cP64YkibAMvCgcSMnBlgBlXTgsHGfe uBonEiQi6OjPEuE+Lo5AfbkQ9R0LXg1NYr3eqdJmmSlo+EYcwyuCULUcSNd4YCdmWedh Jt/Q==
X-Gm-Message-State: AD7BkJJ+f5iMG0bySQVzINdi/pqjYhQ6Bgnz4RX507O2gzRQzZoYwJv66gwIkFcN133K7A==
X-Received: by 10.140.28.52 with SMTP id 49mr37430599qgy.66.1459966564063; Wed, 06 Apr 2016 11:16:04 -0700 (PDT)
Received: from [192.168.1.9] ([186.60.153.174]) by smtp.gmail.com with ESMTPSA id f13sm1028747qke.43.2016.04.06.11.16.01 for <openpgp@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Apr 2016 11:16:02 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_D773E599-4E56-4858-958A-E4D5A7408896"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Pgp-Agent: GPGMail 2.6b2
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <20151110021943.GH3896@vauxhall.crustytoothpaste.net>
Date: Wed, 06 Apr 2016 15:15:59 -0300
Message-Id: <72665D15-F685-41F6-A477-8E65DBBC5A04@gmail.com>
References: <43986BDA-010F-4DBF-8989-53E71B74E66A@gmail.com> <20151110021943.GH3896@vauxhall.crustytoothpaste.net>
To: openpgp@ietf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/YXX6KDQqwztAYBC0EUqNmUct3gk>
Subject: [openpgp] Fingerprint schemes versus what to fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 18:16:07 -0000
To followup on today’s in-meeting discussion of evolving OpenPGP fingerprints beyond SHA-1, I want to propose that there are at least two orthogonal issues to decide (and I’m probably not the first to suggest this): 1. What fingerprint scheme(s) should OpenPGP move to going forward? 2. What exactly should the OpenPGP “application” fingerprint with that scheme? To clarify, I propose to define a “fingerprint scheme” as an algorithm that takes a raw octet string and produces an ASCII string of some kind for users to cut-and-paste, compare, read off over the phone, etc. By this definition, just like a cryptographic “hash scheme” or “signature scheme”, the “fingerprint scheme” itself doesn’t need to know or care what octet string gets fed into it. As such there’s no reason such a “fingerprint scheme” itself needs to be in any way specific to OpenPGP, and I would support the proposals that Phillip and others have made that it would be ideal to standardize future fingerprint scheme(s) independently of particular protocols such as OpenPGP, and just have OpenPGP use that scheme. CFRG might be the obvious place to do this. Of course, I understand the logistical downsides of having an OpenPGP work-item depend on work elsewhere (e.g., CFRG) that isn’t even started yet… But this approach might still be worth considering from a “get it right” perspective if there isn’t currently some kind of severe time pressure on the OpenPGP side. The other, very OpenPGP-specific, question is of course what exact octet-string should get fed into whatever fingerprint scheme is chosen. DKG brought up the question of whether that octet-string should still include the Unix timestamp like it currently does. I think that question leads to a bigger set of issues that I’ll try to tease apart in a subsequent E-mail. But first I just wanted to propose this explicit separation of the two questions, “which fingerprint scheme?” (i.e., which function from octet-strings to ASCII-strings), and “what to fingerprint?” (how does OpenPGP get from a key to the octet-string to feed the fingerprint scheme?). Thanks Bryan
- [openpgp] Keyholder-configurable fingerprint sche… Bryan Ford
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … brian m. carlson
- [openpgp] Fingerprint schemes versus what to fing… Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Bill Frantz
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Derek Atkins
- Re: [openpgp] [FORGED] RE: [FORGED] RE: Fingerpri… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Mark D. Baushke
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Werner Koch