[Freedombox-discuss] the FreedomBox 'bump' challenge

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 16 13:57:20 UTC 2011

On 06/15/2011 06:46 PM, Paul Gardner-Stephen wrote:
> On Wed, Jun 15, 2011 at 10:33 PM, Clint Adams <clint at debian.org> wrote:
>> It has KEY, which is supposed to contain the entire certificate,
>> which is, as other people have said, highly impractical in
>> a QR code.  I don't see anything else relevant.
> Well, Elliptic Curve, e.g., Curve25519, can produce very short
> certificates, around 96 bytes to sign a block of data as I recall.
> Thus it may be possible after all.

yes, but as pointed out earlier, OpenPGP "keys" are actually
certificates issued by multiple parties.  The certificate grows in size
proportional (roughly) to the number of issuers.

So, assuming you're using an ECC key (which almost no one is with
OpenPGP these days), and it all fits in a QRCode, the additional
certification information *won't* fit in the QRCode once you have more
than a few certifications.

But more to the point, most people are using 2048-bit or 4096-bit RSA
keys these days.  These come down to 128 or 256 bytes, plus a few bytes
of overhead for the OpenPGP format.  Then you need to add the data for
the relevant User IDs, plus at the very least self-certifications
(certifications over each User ID by the primary key).

In addition, common practice today is to use a primary key for data
signing and key+ID certifications, plus a subkey for receiving encrypted
data (plus, possibly a subkey for online authentication services).  Each
subkey takes up more space, plus a certification over the subkey from
the primary key to prove that they belong together.

So you'll need some sort of external fetch anyway to pull in the whole
certificate; given that, you might as well only produce the fingerprint,
and allow fetching the larger key material via some other mechanism.
That'll leave more room in your QRCode for other data, and still allow
verifiable key transfer.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110616/f0ebad3d/attachment-0001.pgp>

More information about the Freedombox-discuss mailing list