Re: including the entire fingerprint of the issuer in an OpenPGP certification

Ian G <> Thu, 20 January 2011 10:21 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p0KALrpf043769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Jan 2011 03:21:54 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p0KALrdu043768; Thu, 20 Jan 2011 03:21:53 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( [] (may be forged)) by (8.14.4/8.14.3) with ESMTP id p0KALrCN043763 for <>; Thu, 20 Jan 2011 03:21:53 -0700 (MST) (envelope-from
Received: from viento.local (localhost []) by (Postfix) with ESMTP id AEC82406C2; Thu, 20 Jan 2011 10:21:51 +0000 (UTC)
Message-ID: <>
Date: Thu, 20 Jan 2011 21:21:51 +1100
From: Ian G <>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: IETF OpenPGP Working Group <>
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On 19/01/11 8:07 AM, Daniel Kahn Gillmor wrote:
> On 01/18/2011 12:48 PM, Jon Callas wrote:
>> If we combine it with a hash-independent fingerprint -- e.g., first byte is an algorithm ID, others are the actual hash -- then we can put it in now and then run with it.
> Daniel Nagy suggests that we also change the material being hashed in
> the fingerprint (he wants to leave out the creation date).  If that
> proposal ends up achieving consensus then your proposal here will need
> further modification.
> Does anyone feel strongly about Nagy's proposal, by the way?  i'm not
> sure what the tradeoffs are.
> Even without that concern, if we encourage super-flexible use like this,
> user agents who wanted to use it to test for the presence of a given key
> in an indexed keystore would need to index their keys with every
> possible digest that might be used -- that seems excessive somehow.
> (and unlikely that keyserver implementations would want a half-dozen
> indexes, for that matter)  Wouldn't it be better to just implement it
> for today's fingerprint, and then when a new fingerprint is agreed upon,
> determine (by subpacket length maybe?) whether it's the new fingerprint
> or the old one.  Compliant user agents would keep the two indexes around
> until the v4 fingerprint goes away, and then drop the old one.
> Alternately, we could embed the algorithm ID as you suggest, and SHOULD
> people into generating them using only the consensus fingerprint
> algorithms so that reasonable user agents only need to create indexes
> over SHA1 (now) and SHA3 (whenever that happens).

The style of OpenPGP v5++ has been algorithm agility, and getting away 
from that is likely to take time, and/or bravery.

Which leads me to agree that the fingerprint should include the leading 
algorithm Id, because that's how we do message digests.  And in text, we 
browbeat the developers to stick to the "the one."

(In which, the one will be two, SHA1 then SHA3, until we can ditch the 
other "one".)

On the other hand, there is that hanging question:  do we want algorithm 
agility in the future?  What did we ever win by it?  Did it ever meet 
its promise?

If the answer is in the negative, I'd be inclined to ignore the whole 
packet question and start thinking instead about a completely new layout 
generation that simplified the coding requirements back to something ... 
PGP 2.3 like.


PS: at least, that's my question & hobby horse.  Others have other 
questions and hobby horses.