At 4:07 AM -0700 7/7/99, Will Price wrote:
Thomas Roessler wrote: > On 1999-07-07 02:38:43 -0700, Will Price wrote:Yes, it was obvious. You're not seeing what I mean by biometric. The word list is a feature we implemented to provide better biometric properties for key fingerprint authentication.> Technical documentation and mappings for the word lists are > published in the docs for PGP where they belong. Not in this > group. Sorry, Will, this word mapping _is_ an interchange format for OpenPGP key properties, so it _does_ belong on this list and into an (at least informational) Internet RFC. After all, there is a reason behind having a well-defined key fingerprint displayed to and exchanged by users, isn't it?I could see a case for documenting the word list we developed into an informational RFC with no relation to this working group. I'm sure we'd be happy to see that happen. However, the feature is a biometric authentication method that has no relation to the OpenPGP data formats. Saying that this should have gone through OpenPGP in the first place is like saying the PGPkeys GUI and whether RSA keys are silver or gold should go through OpenPGP.
There are interesting points here. If the word list is relied upon the the users of the application to exchange the fingerprint, then it is part of the protocol of key exchange. While RFC2440 doesn't deal with key exchange, we've assumed that key verification by users would be performed by exchanging fingerprints in some fashion. The word list is an example of "in some fashion", and must equate to the fingerprint, otherwise it wouldn't unambiguously identify a key.
It is mandatory that any RFC2440 implementation generate and parse a particular kind of fingerprint. While the word list may prove to be eminently useful (it may not, I was amused by Thomas' notion of a "spoken" business card). It seems to me we can safely put this aside.
It may become an issue, however, if work on key exchange protocols and experience with word lists indicates it will likely become widely accepted, and is a preferred way to express the fingerprint. For now, I'd prefer to leave it aside and concentrate on verifying the status in implementations of existing MUSTs in 2440.
john noerenberg (in Oslo Jul 10-19, 1999) jwn2@xxxxxxxxxxxx ---------------------------------------------------------------------- The man that can most truly be accounted brave is he who best knows the meaning of what is sweet in life and what is terrible, and then goes out undeterred to meet what is to come. -- Pericles, "Funeral Oration", 479 B.C. ----------------------------------------------------------------------