atom at suspicious.org
Tue Aug 10 16:53:25 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 10 Aug 2004, Simon Josefsson wrote:
> Christian Biere <cbiere at TechFak.Uni-Bielefeld.DE> writes:
>>> OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA)
>> OpenPGP-KeyID: id=0x12345678; algo=RSA; bits=4096
> What purpose do the RSA/4096 information serve? If this is purely for
> human consumption, which I suspect, then placing it in a comment seem
> actually better. I'm not sure I see what an application could
> usefully do with the algo/bits flags. The header name seem confusing
> if the header do contain non-keyid data, too.
the id (or fingerprint) is just as important in determining the correct
key as the size and algo. although it's difficult to do now, there's a
trick with v3 keys where it's not difficult to generate a key having a
predetermined id (the deadbeef attack). this is made easy when the key
size is not confirmed.
while [i think] this is likely to be used by humans more than machines,
it's still human readable (although a little less friendly) while being
very readable to a machine.
the way to make it more user friendly while still being machine readable,
i think, is to add a "name" column to RFC2440:9.1 (DSA, RSA, ELG, etc) so
that algorithms actually do have a standard way of being communicated...
is public key algo 21 "DH"? "X942"? "X9.42"? as of now, "21" is the only
way to consistently identify it... sure, RSA and DSA are self explanatory,
but the naming convention doesn't scale well.
also, these headers won't be used by my granny. people who even know to
look for them can figure out how to read them, and maybe in the meantime
they will be parsed by mail and news clients (and people won't have to
the header name is now "OpenPGP-Key", which i think accurately describes
it's contents: information necessary [but not securely!] to confirm that
the correct key is used.
> Personally, I prefer Atom's original proposal. It is simpler. Just
> gobble up all non-comment data in the header, remove any '0x' and
> whitespace, and you have a 4/8/16 byte fingerprint. On that theme, I
> would propose to merge the OpenPGP: and OpenPGP-Fingerprint: headers,
> just use OpenPGP: for all keyids/fingerprints.
> Finally, I don't see why '0x' MUST be present. I think it could be
the original proposal was simpler for people... the current version is
simpler for computers.
draft 0.1 <http://atom.smasher.org/pgp-headers/pgp-headers01.txt> allows a
full fingerprint to be used as a key id. it also specifies that a key id
SHOULD be prefixed with "0x"... the prefix aids in avoiding ambiguity.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"I am somehow less interested in the weight and
convolutions of Einstein's brain than in the near
certainty that people of equal talent have lived and
died in cotton fields and sweatshops."
-- Stephen Jay Gould
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
-----END PGP SIGNATURE-----
More information about the Gnupg-devel