From eebaf7c503c80c2cfbb653e482126f319734209a Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 15 Feb 2024 14:38:06 +0100 Subject: [PATCH] simply and combine version difference section --- book/source/adv/certificates.md | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/book/source/adv/certificates.md b/book/source/adv/certificates.md index cc96ea1..8e48e06 100644 --- a/book/source/adv/certificates.md +++ b/book/source/adv/certificates.md @@ -204,24 +204,15 @@ OpenPGP certificates are uniquely identified through fingerprints and Key IDs, d This section delves into the evolution of these identifiers, their practical application across various platforms, and their critical role in facilitating the lookup of OpenPGP certificates by email. By serving as reliable methods for distinguishing and referencing certificates, fingerprints and Key IDs are instrumental in the verification, distribution, and management of OpenPGP certificates within the cryptographic community. -### Fingerprints and Key IDs in Version 4 +### Version differences in fingerprints -With OpenPGP version 4 certificates, it was customary that user-facing software used 20 byte (160 bit) *fingerprints* as an identifier for the certificate. Or alternatively, the 8 byte (64 bit) *Key ID* variant of the fingerprint. Both were represented in hexadecimal format, sometimes with whitespace to group the identifier into blocks for easier readability. +The development of fingerprints within the OpenPGP framework reflects ongoing efforts to bolster security measures and align with current cryptographic standards. Initially, fingerprints were shorter and derived using less secure hashing algorithms. As cryptographic standards advanced, the need for longer, more secure fingerprints became apparent, leading to the adoption of longer hash functions to generate these identifiers. -Workflows such as +- **Version 4 fingerprints**: OpenPGP version 4 introduced 20-byte (160-bit) fingerprints, generated using the SHA-1 hashing algorithm. These fingerprints became the standard for identifying certificates, with their hexadecimal representation commonly used in various user workflows. Activities such as verifying a new contact's certificate or issuing third-party certifications often required manual comparison of these fingerprints, highlighting their centrality to OpenPGP's trust-building processes. -- accepting a certificate for a communication partner, or -- issuing a third-party certification for an identity, +- **Version 6 fingerprints**: The OpenPGP version 6 standards transition to 32-byte (256-bit) fingerprints, enhancing security through the use of stronger hash functions. However, due to the challenges humans face in comparing high-entropy data, [version 6 explicitly recommends against using these longer fingerprints](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-fingerprint-usability) in user-facing contexts, advocating instead for "mechanical fingerprint transfer and comparison" whenever possible. This shift underscores the evolving considerations around the usability and security of certificate identifiers[^schuermann]. -required users to manually compare the 40 character long hexadecimal representation of a fingerprint against a reference source for that fingerprint. - -### Fingerprints in Version 6 - -The OpenPGP version 6 standard uses 32 byte (256 bit) fingerprints, but explicitly defines no format for displaying those fingerprints in a human-readable form. The standard [recommends strongly against](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-fingerprint-usability) using version 6 fingerprints as identifiers in user-facing workflows. - -Instead, "mechanical fingerprint transfer and comparison" should be preferred, wherever possible. The reasoning is that humans tend to be bad at comparing high-entropy data[^schuermann] (in addition, many users are probably put off by being asked to compare long hexadecimal strings). - -[^schuermann]: See "An Empirical Study of Textual Key-Fingerprint Representations" +[^schuermann]: See "An Empirical Study of Textual Key-Fingerprint Representations" [](https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf) ### Use of Fingerprints and Key IDs in APIs