OpenPGP headers

Atom 'Smasher' atom at suspicious.org
Tue Aug 10 16:53:25 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 10 Aug 2004, Simon Josefsson wrote:
> Christian Biere <cbiere at TechFak.Uni-Bielefeld.DE> writes:
>
>>> OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA)
> ...
>> 	OpenPGP-KeyID: id=0x12345678; algo=RSA; bits=4096
>
> What purpose do the RSA/4096 information serve?  If this is purely for
> human consumption, which I suspect, then placing it in a comment seem
> actually better.  I'm not sure I see what an application could
> usefully do with the algo/bits flags.  The header name seem confusing
> if the header do contain non-keyid data, too.
=======================

the id (or fingerprint) is just as important in determining the correct 
key as the size and algo. although it's difficult to do now, there's a 
trick with v3 keys where it's not difficult to generate a key having a 
predetermined id (the deadbeef attack). this is made easy when the key 
size is not confirmed.

while [i think] this is likely to be used by humans more than machines, 
it's still human readable (although a little less friendly) while being 
very readable to a machine.

the way to make it more user friendly while still being machine readable, 
i think, is to add a "name" column to RFC2440:9.1 (DSA, RSA, ELG, etc) so 
that algorithms actually do have a standard way of being communicated... 
is public key algo 21 "DH"? "X942"? "X9.42"? as of now, "21" is the only 
way to consistently identify it... sure, RSA and DSA are self explanatory, 
but the naming convention doesn't scale well.

also, these headers won't be used by my granny. people who even know to 
look for them can figure out how to read them, and maybe in the meantime 
they will be parsed by mail and news clients (and people won't have to 
read them).

the header name is now "OpenPGP-Key", which i think accurately describes 
it's contents: information necessary [but not securely!] to confirm that 
the correct key is used.



> Personally, I prefer Atom's original proposal.  It is simpler.  Just
> gobble up all non-comment data in the header, remove any '0x' and
> whitespace, and you have a 4/8/16 byte fingerprint.  On that theme, I
> would propose to merge the OpenPGP: and OpenPGP-Fingerprint: headers,
> just use OpenPGP: for all keyids/fingerprints.
> 
> Finally, I don't see why '0x' MUST be present.  I think it could be
> optional.
========================

the original proposal was simpler for people... the current version is 
simpler for computers.

draft 0.1 <http://atom.smasher.org/pgp-headers/pgp-headers01.txt> allows a 
full fingerprint to be used as a key id. it also specifies that a key id 
SHOULD be prefixed with "0x"... the prefix aids in avoiding ambiguity.



 	...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"I am somehow less interested in the weight and
 	 convolutions of Einstein's brain than in the near
 	 certainty that people of equal talent have lived and
 	 died in cotton fields and sweatshops."
 		-- Stephen Jay Gould
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBGOFqAAoJEAx/d+cTpVcip34H/3ugiy9C+03LdHr1Iu2AKpIz
xL249yHomy0vMSN8T0XGVLpLYP5HjkxyVE8lAJ4ZAxiIi66R1koXmw2ln8N3fKkE
S6RzuqNuhnWffWViTVL6I4RyvkXdiEOJwHhp2B0+LWauvslReuPVvuU5MPoILoTl
NqgFoLEs9xSajenC3gaRFNcr8g4gOpPr++Dfil4lOhTs9lczSL3UEww+3DgrVqjl
BjF8/38+cYLrVd0wSB5KCh68xakPw8SsATm5A1HjPKtssINvLwc2/O26Lfaelvu7
2FYzPH0HY+RMhVTOeMbSYC3ri+EX+Kg7alNHiVgFPXD+eoQYQUIrzGsM+fjyqas=
=1EuW
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list