On 01/17/2011 10:22 PM, David Shaw wrote: > I like this idea. I would do it as "full fingerprint" myself. > The difference in storage between 160 bits and 96 bits is all > of 8 bytes. I think the simplicity of being able to say the > whole fingerprint is in there is worth a measly 8 bytes. That seems like a reasonable cost/benefit analysis to me. > Do we necessarily need a new subpacket type for this? It > could pretty easily be a notation. Thereby making it even longer -- how many bytes are you prepared to throw at the problem? ;) So with gpg, this is doable already with something like this in gpg.conf: sig-notation signer-fpr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=%g I dislike this aesthetically for 3 reasons: 0) the subpacket is hashed into the signature created, which doesn't seem necessary. 1) the notation value is in plain text (twice as long as it needs to be) 2) i don't like the notation name being as long as the one i just chose :P but maybe i'm just being a bit-miser with 1 and 2. And maybe 0 isn't all that important, either. (is there a way to tell GnuPG to make the notation subpacket in the unhashed part of the signature?) i (think i) have signed this message using the above notation name. i'd be happy to drop that notation name in favor of anything more concise from a domain with a reasonably stable track record related to this stuff. If anyone on the list has difficulty verifying my signature as a result of this notation, please let me know. David, do you think a patch to interpret a notation like this would be of interest to GnuPG? Are any other OpenPGP implementations willing or interested in coming to consensus on a notation name and working on this? And what should an implementation do if the issuer subpacket and the "full fingerprint" packet disagree on the last 64 bits? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature