Re: javakey and PGP-style fingerprints, keyids and keyservers

Marianne Mueller (mrm@eng.sun.com)
Wed, 12 Mar 1997 10:57:21 -0800

Date: Wed, 12 Mar 1997 10:57:21 -0800
Message-Id: <199703121857.KAA05289@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: nealmcb@bell-labs.com
Subject: Re: javakey and PGP-style fingerprints, keyids and keyservers

Thanks for the interesting note and your PGP program looks promising.

PGP implementations use 128-bit MD5 hashes of the public key, as key
fingerprints. I think there's a lot of benefit in being compatible
with PGP version 2.6 from MIT since that's in wide use.

I agree, it's a good idea to include the fingerprint of the key in a
key database. People can read those 16 bytes over the phone or put
them on business cards (as you point out.)

I'll duck on the code snippet you asked for (generating a PGP
certificate fingerprint), since I think you need to define which
fields of the certificates you want to hash. Also, I don't know, is
there an agreed upon certificate format for PGP? That probably needs
to be agreed on first, and then you figure out which fields of the
certificate you want to hash. As for a key fingerprint, just generate
the MD5 hash.

The certificate issues you raise are important and valid. It's hard
to address them here since it is such a big area, and as you point
out, a crucial central area for using signatures in the first place.
We are working on X.509v3 support and intend to then use those APIs to
build needed certificate services (or, collaborate with people who
provide services.) And, the intent is that the certificate interface
should serve for other types of certificate formats, like PGP
certificate format when one gets defined, or an SPKI certificate
format.

About a trusted certificate translation service: we have thought about
the need for services like that, but right now we are focused on
getting the X509v3 infrastructure in place, so that services can be
built on top of the JDK infrastructure.

About other uses for certificates:

There are many schools of thought on the topic of what a certificate
means. For now, we are using certificates to state identity. We're
aren't using certificates to make statements about code attributes.
I'd actually prefer not to start that discussion on java-security
since it's raging on every known security mailing list already - the
spki mailing list is a good place for talking with people about that.
(See http://www.clark.net/pub/cme/html/spki.html; the mailing list is
at spki@c2.net.)

We do want to provide a simple way for people to associate statements
about their Java programs with their signature on the code, and the
statements. We are working with the W3C on the Digital Signatures
standards effort. One thing you could do is sign a set of statements
about a program, and deliver that signed set of statements along with
the program. See
http://www.w3.org/pub/WWW/Security/DSig/Overview.html, in particular
the Manifest specification at
http://www.w3.org/pub/WWW/Security/DSig/Group/Manifest.html

Marianne