~sircmpwn/gmni-discuss

4 2

Shorter fingerprints

Details
Message ID
<C7CIPJVEWOQ4.1YITTDBAPVVIP@nitro>
DKIM signature
fail
Download raw message
DKIM signature: fail
What do you think of using sha256 + base64 for certificate fingerprints?
That would make fingerprints shorter and easier to read for humans.
Details
Message ID
<C7CIV9M38Z49.39NNMC005HXAM@taiga>
In-Reply-To
<C7CIPJVEWOQ4.1YITTDBAPVVIP@nitro> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
The current fingerprint was chosen because it matches what
openssl x509 -sha512 -fingerprint shows, which is desirable as it
provides an easy secondary way of verifying the fingerprint.
Details
Message ID
<C7CKXYN3AXSJ.3AKPFVIFN48KD@nitro>
In-Reply-To
<C7CIV9M38Z49.39NNMC005HXAM@taiga> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On Wed Nov 25, 2020 at 12:31 PM EST, Drew DeVault wrote:
> The current fingerprint was chosen because it matches what
> openssl x509 -sha512 -fingerprint shows, which is desirable as it
> provides an easy secondary way of verifying the fingerprint.

I agree that this is desirable. However, using openssl's format with ':'
between each octet makes it difficult to decode the raw fingerprint.

SSH uses base64 to encode public keys in its known_hosts file.
Details
Message ID
<C7UNW1R7VLR8.3GKISRGK8W2CD@nitro>
In-Reply-To
<C7CKXYN3AXSJ.3AKPFVIFN48KD@nitro> (view parent)
DKIM signature
pass
Download raw message
On Wed Nov 25, 2020 at 2:09 PM EST, Adnan Maolood wrote:
> On Wed Nov 25, 2020 at 12:31 PM EST, Drew DeVault wrote:
> > The current fingerprint was chosen because it matches what
> > openssl x509 -sha512 -fingerprint shows, which is desirable as it
> > provides an easy secondary way of verifying the fingerprint.
>
> I agree that this is desirable. However, using openssl's format with ':'
> between each octet makes it difficult to decode the raw fingerprint.
>
> SSH uses base64 to encode public keys in its known_hosts file.

What do you think about removing the ':' between each octet in the known
hosts file? That would make it easier to decode the raw SHA-512 hash.
Software can then re-encode the fingerprint in any format it pleases
before displaying it to the user, including with ':'.
Details
Message ID
<C7UQBUVV4965.3FVAO5BLNXC68@taiga>
In-Reply-To
<C7UNW1R7VLR8.3GKISRGK8W2CD@nitro> (view parent)
DKIM signature
pass
Download raw message
I'm not changing the fingerprints. Don't ask.
Reply to thread Export thread (mbox)