W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: cert:fingerprint ?

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Tue, 22 Nov 2011 17:12:43 +0000
Cc: "Henry Story" <henry.story@bblfish.net>, "WebID Incubator Group WG" <public-xg-webid@w3.org>, <foaf-protocols@lists.foaf-project.org>
Message-Id: <2B909C53-39B3-406E-8EBB-7F4EA0687443@bbc.co.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 25 Oct 2011, at 19:53, Kingsley Idehen wrote:

> On 10/25/11 12:38 PM, Henry Story wrote:
>> On 25 Oct 2011, at 18:33, Kingsley Idehen wrote:
>>> Henry,
>>> Since we have cert:key, what about cert:fingerprint?
>> How would you define it?
> Good question since WOT [1] and these newer Key oriented ontologies aren't aligned. In addition, WOT is conflating public key and x.509 certificate. The fingerprint I am talking about is a hash (md4, md5, sha, sha256, sha512) of the entire x.509 Cert.

WoT's definition of 'fingerprint' is horribly underspecced — it really needs to specify (even if just by reference!) how the fingerprint is computed: otherwise, how can you ever perform a reliable comparison?

For reference, a fingerprint which is included in an X.509 cert (e.g., is often used as subjectKeyIdentifier or authorityKeyIdentifier, and presented in many user interfaces) is actually the fingerprint of the DER-encoded public key data and *not* the rest of the cert.

PGP does things slightly differently, but not significantly so (from RFC4880 §12.2):

“For a V3 key, the eight-octet Key ID consists of the low 64 bits of the public modulus of the RSA key.

“The fingerprint of a V3 key is formed by hashing the body (but not the two-octet length) of the MPIs that form the key material (public modulus n, followed by exponent e) with MD5.  Note that both V3 keys and MD5 are deprecated.

“A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet packet length, followed by the entire Public-Key packet starting with the version field.  The Key ID is the low-order 64 bits of the fingerprint.”

Note that in neither case does the fingerprint contain any User ID packets (which are combined with the public key packet(s) to constitute a full “PGP Certificate” — the closest equivalent of an X.509 Certificate).


Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Tuesday, 22 November 2011 17:13:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:48 UTC