Using second keyring may be misleading?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Jun 24 22:00:21 CEST 2012


On 06/24/2012 03:42 AM, Nicholas Cole wrote:
>>>>
>>>
>>> So it still confuses implementations? :)
>>
>> Alas :)
>>
>> Unfortunately, it's pretty inherent in the design.  The issuer subpacket that contains the key ID for a signature only has the 64-bit key ID.  We'd need a new issuer subpacket that contained the whole fingerprint.
> 
>  1.  I've never really understood why the full fingerprint *wasn't*
> used for this sort of thing.  The key ID probably ought to be kept as
> much as possible as a human-only convenience.  Is there no way to
> imagine the standard changing? (I guess this would need a new key
> format version, and possibly a new signature format?)

There was a discussion about how this could be accomplished on the
IETF's OpenPGP WG list about this, starting here:

 http://www.imc.org/ietf-openpgp/mail-archive/msg09915.html

One interesting outcome was the proposal (which i have failed to
implement) of using an OpenPGP "notation" subpacket with a well-defined
name, and a value of the full fingerprint of the issuer.  Compatible
signing applications could insert this subpacket in addition to the
"issuer" subpacket, and compatible verifying applications could use it
to disambiguate between colliding keyids.

	--dkg

[0] https://tools.ietf.org/html/rfc4880#section-5.2.3.16

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120624/4293d3ce/attachment.pgp>


More information about the Gnupg-devel mailing list