[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: decimal fingerprints [was: Re: Non-SHA-1 fingerprints]

To: IETF OpenPGP Working Group <ietf-openpgp@xxxxxxx>
Subject: Re: decimal fingerprints [was: Re: Non-SHA-1 fingerprints]
From: "Daniel A. Nagy" <nagydani@xxxxxxxxxxxxxxxx>
Date: Tue, 05 May 2009 08:15:29 +0200
In-reply-to: <49FF94D4.3030101@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <5F766368-BB36-4076-807D-E0CEDB7B0026@xxxxxxxxxxxxxxx> <49FF6677.7070907@xxxxxxxxxxxxxxxx> <C89DD624-BCDB-4240-BC46-48E6A89B40B6@xxxxxxxxxxxxxxx> <49FF94D4.3030101@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

Actually, it is not the fingerprint, but the key ID that is typed in, but it is
a NICE feature of OpenPGP at present that the key ID is simply a substring of
the fingerprint. I would hate to lose that.

Daniel Kahn Gillmor wrote:
> On 05/04/2009 08:17 PM, David Shaw wrote:
>> On May 4, 2009, at 6:04 PM, Daniel A. Nagy wrote:
>>
>>> Also, since mobile phones typically have a numeric keypad, it would be
>>> nice if
>>> fingerprints and key IDs were numeric-only. It is an increasingly
>>> important
>>> platform for OpenPGP, I believe.
>> I think that is a good point and a great idea, but the only reason that
>> fingerprints and key IDs are printed in hex now is tradition.  There is
>> nothing in the standard one way or another about how humans should
>> consume fingerprints.  You could even do it with the current V4
>> fingerprints: just as my key fingerprint is
>> 7D92FD313AB6F3734CC59CA1DB698D7199242560 in hex, it is equally correct
>> as 716901811312187285520504099705403090347495794016 in decimal.  The big
>> problem I see here is that's it's an awfully long number to type into a
>> mobile keypad.
> 
> How often does anyone type in a fingerprint at all?  My impression of
> the typical workflow is:
> 
> 
>  * read fingerprint from physical media (business card, scrap of paper, etc)
> 
>  * search for a key from the public keyservers (usually by User ID).
> 
>  * scan list of results for a key with a matching keyid (truncated
> fingerprint)
> 
>  * fetch selected key from keyserver
> 
>  * view/double-check fingerprint of fetched key againt physical media
> 
> In this workflow, the only typing done is to enter the user id to search
> for (and even that is not always needed on a mobile device, because the
> person searched for is may already be in the address book for other
> contacts).  if the fingerprint is entered, it's often only the truncated
> keyid, which is guaranteed to be much smaller than the fpr in any case.
> 
> Making this change to the fingerprint presentation seems huge: are
> people expected to change all their business cards, .sigs, web sites,
> etc. to show both styles of fingerprint?  or to completely transition to
> the new style?  in terms of truncated fingerprints (keyids), how are we
> to distinguish between the ones which currently have only digits 0-9 in
> hex and decimal-style fingerprints?  This seems like a very costly
> tradeoff for the sake of thumbing in 8 decimal characters instead of 8
> hex digits.
> 
> 	--dkg
>

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- Non-SHA-1 fingerprints
  - From: David Shaw
- Re: Non-SHA-1 fingerprints
  - From: Daniel A. Nagy
- Re: Non-SHA-1 fingerprints
  - From: David Shaw
- decimal fingerprints [was: Re: Non-SHA-1 fingerprints]
  - From: Daniel Kahn Gillmor

Prev by Date: Re: Fix revocation keys instead of fingerprints? (was Re: Non-SHA-1 fingerprints)
Next by Date: Re: Non-SHA-1 fingerprints
Previous by thread: decimal fingerprints [was: Re: Non-SHA-1 fingerprints]
Next by thread: Re: Non-SHA-1 fingerprints
Index(es):
- Date
- Thread