OpenPGP headers

Atom 'Smasher' atom at suspicious.org
Tue Aug 10 23:23:12 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 10 Aug 2004, Thomas [iso-8859-1] Sjögren wrote:
> On Tue, Aug 10, 2004 at 10:53:25AM -0400, Atom 'Smasher' wrote:

>> the id (or fingerprint) is just as important in determining the correct
>> key as the size and algo.
>
> dont you mean "the size and algo is just as important
> in determening the correct key as the id (or fingerprint)"?
=========

yes, that too  ;)


> however, i dont believe that is true since the way to find the correct
> way is the check the complete fingerprint. the size and algo is of no
> interested in determining the correct key:
> 1. it's isn't near unique and isn't supposed to be
> 2. people change key sizes and algo but dont change keys, take for
> example the use of subkeys.
==========

if only a single identifier could be used to determine a particular key, 
of course we'd use a fingerprint. but i think the other identifiers are 
too important to toss aside.

i'm not sure what you mean about subkeys... these headers only identify 
primary keys.


>> draft 0.1 <http://atom.smasher.org/pgp-headers/pgp-headers01.txt> allows a
>> full fingerprint to be used as a key id. it also specifies that a key id
>> SHOULD be prefixed with "0x"... the prefix aids in avoiding ambiguity.
>
> Since this draft is about providing "information about the senders OpenPGP key."
> I think section 1.1.1 should be different because, as stated in rfc 2440
> implementations SHOULD NOT assume that Key IDs are unique.
> Hence, to correctly identify a key you need the complete fingerprint.
===============

the fingerprint can be used in the OpenPGP-Key header (id) and/or the 
OpenPGP-Fingerprint header. this is acceptable:

 	OpenPGP-Key: id=0x762A3B98A3C396C9C6B7582AB88D52E4D9F57808 ;
 		algo=1 ; size=4096

and i should include that as an example in the draft.

taking your point a step further, though, should the fingerprint be used 
as an ID in the OpenPGP-Key header (id), and then there's no need for a 
OpenPGP-Fingerprint header? or... should there be separate headers for the 
fingerprint, algo and size?

of these options, i sort of like using the full fingerprint in the id 
field, and making that a MUST. and then the spec would consist of only two 
headers, "OpenPGP-Key" and "OpenPGP-URL".


         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Television: A medium. So called because it is neither rare
 	 nor well done."
 		-- Ernie Kovacs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBGTzGAAoJEAx/d+cTpVcih58H/0j5bDcBWRPYmXOjn5DKJ25O
iUNdUA+lW7EUC2/YrigRoMBfjMRwCLtC/1OjvFgODTiQFKJ2KCku2VW0jnicmGee
IAFHCQeDvsGoGSmNRn/ZshYr0PvAX8pZy/XlHq1qhx/sRyH2MDVNDdktTLRoMEhD
OVzW0uFr2n76cdY14yode/8WAkd83iNb48l67E4+miIjUYyJD4STTir3iBzLx30M
Nk0+s8oGoWDIgVHdHwhUHqsdNqyCKZu7bOz82EqjRvIscprVSozabbMLZ6mDCMQ7
H0+ZuG1CeDgsZNEg8HjVCDxY2Xu626sCnZaL9Cm15TyR0TGRybCKrdQW3sgeE0E=
=QaJT
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list