Re: Public-key distribution via HTTP

[Jon Callas <jon@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jan 12, 2008, at 12:17 AM, Peter Gutmann wrote:

>
> Don't be mislead by the title (http://www.ietf.org/rfc/rfc4387.txt),  
> it was
> published under the auspices of PKIX but it's really "a simple, fairly
> universal means of publishing your public key via HTTP".  The CACert  
> folks
> have set up a Wiki page to cover implementation info, feedback, and  
> comments:
> http://wiki.cacert.org/wiki/RFC4387.
>

I like it.

The only complaint that I have is that the OpenPGP attributes are a  
bit behind the times. I would like to see it updated for 4880 and  
generalized. I think there are some similar issues for X.509, too.

(Actual technical details -- a key fingerprint there is defined to be  
a binary 160 bits. It ought to be a string because we very well may  
come up with a generic way to compute a fingerprint with an arbitrary  
hash. Given that a fingerprint in this context is really just a  
database retrieval handle (note the way I skillfully avoid the word  
"key"), having it be just text is a good thing. Also, in 4880, we  
deprecate the old-style keys. In the new-style keys, a key ID is just  
a truncation of a fingerprint.)

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFHkSy4sTedWZOD3gYRAvR4AKDIg9jHBkbd4LYrq7Zy4Gb8SCCnvACfVutc
jGcjwQd2l6LQ0nEj8sjJo1w=
=Nn4m
-----END PGP SIGNATURE-----