change headers and text to show practical uses of fingerprints and KeyIDs for software and email communication

This commit is contained in:
Tammi L. Coles 2024-02-15 14:39:30 +01:00
parent eebaf7c503
commit c5c553a454

View file

@ -214,26 +214,24 @@ The development of fingerprints within the OpenPGP framework reflects ongoing ef
[^schuermann]: See "An Empirical Study of Textual Key-Fingerprint Representations" [<https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf>](https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf) [^schuermann]: See "An Empirical Study of Textual Key-Fingerprint Representations" [<https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf>](https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf)
### Use of Fingerprints and Key IDs in APIs ### Practical use of fingerprints and Key IDs in software
However, both Fingerprints and Key IDs may (and usually *must*) be used, programmatically, by software that handles OpenPGP data, to address specific certificates. This is equally true for OpenPGP version 6. Fingerprints and Key IDs play a pivotal role in the programmatic interaction with OpenPGP certificates. Software that handles OpenPGP data relies on these identifiers to precisely address and manage specific certificates. This utility extends across all versions of OpenPGP, including version 6, underscoring the indispensable nature of these identifiers in both user-facing contexts and behind-the-scenes operations.
Note that regardless of the OpenPGP version, software that relies on 8-byte Key IDs should not assume that Key IDs are unique. It is trivial to generate collisions for 8-byte Key IDs, so applications must be able to handle Key ID collisions gracefully. While Key IDs offer a shorthand method for identifying certificates, they come with security caveats. The 8-byte Key IDs are susceptible to collisions, and applications must be prepared to handle such scenarios gracefully. The use of 4-byte "short Key IDs" is strongly discouraged due to [the triviality of generating collisions within a 32-bit keyspace](https://evil32.com/), posing significant security risks.
The historical 4-byte "short Key IDs" format should not be used anywhere, anymore (finding collisions in a 32-bit keyspace has been [trivial for a long time](https://evil32.com/)). In essence, fingerprints and Key IDs are crucial for software to programmatically address specific OpenPGP certificates, balancing between the need for precise identification and the challenges posed by potential security vulnerabilities associated with Key IDs.
(certificate-lookup-by-email)= (certificate-lookup-by-email)=
### Looking up certificates by email ### Certificate lookup by email using fingerprints and Key IDs
Searching OpenPGP certificates by email is a use case that often arises. For example, when composing an email to a new contact, the sender may want to find the OpenPGP certificate for that contact. A common use case of fingerprints and Key IDs, crucial for day-to-day secure communications, is locating an OpenPGP certificate associated with an email address.
Different mechanisms allow certificate lookup by email, for example: - **[Web Key Directory (WKD)](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/)** and **[Hagrid](https://keys.openpgp.org/)** exemplify systems that leverage these identifiers for secure and privacy-respecting certificate lookup by email, enhancing the reliability of encrypted email communications.
- [Web Key Directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) (WKD) - **SKS-style keyservers** represent a more traditional approach to certificate distribution. Despite their age, these keyservers continue to play a role in the OpenPGP ecosystem. Today, most of these run the [Hockeypuck](https://github.com/hockeypuck/hockeypuck) software, which helps secure the keyserver infrastructure. SKS-style keyservers use fingerprints and Key IDs for certificate indexing and retrieval, underscoring the universal applicability of these identifiers in enhancing email security across various platforms.
- The [keys.openpgp.org](https://keys.openpgp.org/) "verifying keyserver" (also known as ["hagrid"](https://gitlab.com/keys.openpgp.org/hagrid), the name of the server software it runs)
- SKS-style OpenPGP keyservers (today, most of these run the [Hockeypuck](https://github.com/hockeypuck/hockeypuck) software)
Their properties differ, for more see [](certificate-distribution). While their properties differ, these mechanisms showcase the indispensable role of fingerprints and Key IDs in facilitating secure email exchanges within the OpenPGP ecosystem.
(certificate-freshness)= (certificate-freshness)=
## Certificate freshness: Triggering updates with an expiration time ## Certificate freshness: Triggering updates with an expiration time