[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] New fingerprint: to v5 or not to v5

On Thu 2015-09-17 14:41:56 -0400, Werner Koch <wk@xxxxxxxxx> wrote:
> If we want to introduce a, say, SHA-256 fingerprint, the straightforward
> way is to define a v5 key packet format which will be identical to the
> v4 format with the exception of the packet version number (and maybe
> rules on what algorithms to use with a v5 key) [1].

Thanks for raising these points, Werner.

It should be straightforward to take the key material from an existing
v4 key and wrap it in a v5 packet, thereby producing a "new key" that's
actually the "same key".  So claiming that key material can only be used
as *either* v4 or v5 wouldn't quite be correct.

The difference here is that existing OpenPGP certifications made against
the key wrapped in v4 public key packet won't be applied to the "new" v5
public key.  Similarly, existing revocations or rejections of the old
key won't be applied to the "new" key.  That is, the same key material
presented as a new version is effectively treated as a distinct key no
matter what.

i personally find the argument about wanting bijectivity pretty
compelling.  If we can say with confidence that one OpenPGP object has
exactly one fingerprint format to use, that should greatly simplify
matching and verification.

So far, all responses in this thread have been in favor of coupling the
version with the fingerprint choice.  Does anyone in the WG want to
speak against this, or should we treat it as a conclusive and move
forward on that basis?


openpgp mailing list