W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: cert:fingerprint ?

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 22 Nov 2011 12:25:57 -0500
Message-ID: <4ECBDB25.7000909@openlinksw.com>
To: public-xg-webid@w3.org
On 11/22/11 12:12 PM, Mo McRoberts wrote:
> On 25 Oct 2011, at 19:53, Kingsley Idehen wrote:
>> On 10/25/11 12:38 PM, Henry Story wrote:
>>> On 25 Oct 2011, at 18:33, Kingsley Idehen wrote:
>>>> Henry,
>>>> Since we have cert:key, what about cert:fingerprint?
>>> How would you define it?
>> Good question since WOT [1] and these newer Key oriented ontologies aren't aligned. In addition, WOT is conflating public key and x.509 certificate. The fingerprint I am talking about is a hash (md4, md5, sha, sha256, sha512) of the entire x.509 Cert.
> WoT's definition of 'fingerprint' is horribly underspecced — it really needs to specify (even if just by reference!) how the fingerprint is computed: otherwise, how can you ever perform a reliable comparison?
> For reference, a fingerprint which is included in an X.509 cert (e.g., is often used as subjectKeyIdentifier or authorityKeyIdentifier, and presented in many user interfaces) is actually the fingerprint of the DER-encoded public key data and *not* the rest of the cert.
> PGP does things slightly differently, but not significantly so (from RFC4880 §12.2):
> “For a V3 key, the eight-octet Key ID consists of the low 64 bits of the public modulus of the RSA key.
> “The fingerprint of a V3 key is formed by hashing the body (but not the two-octet length) of the MPIs that form the key material (public modulus n, followed by exponent e) with MD5.  Note that both V3 keys and MD5 are deprecated.
> “A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet packet length, followed by the entire Public-Key packet starting with the version field.  The Key ID is the low-order 64 bits of the fingerprint.”
> Note that in neither case does the fingerprint contain any User ID packets (which are combined with the public key packet(s) to constitute a full “PGP Certificate” — the closest equivalent of an X.509 Certificate).
> M.

To cut a long story short, please look at: 
. Follow the links.

We are using the Fingerprint as an optional alternative to looking up 
modulus and exponent. WebID adds "mirrored claims" to the mix re. TLS 
handshake. I believe modulus and exponent where initially choosen for 
this "mirrored claims" lookup on the basis of being the critical part of 
the security token used for the successful handshake. We've opted to add 
fingerprints to the mix since they are more compact and enable use 
leverage existing platforms like Twitter re. WebID publication.






Kingsley Idehen	
President&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Tuesday, 22 November 2011 17:26:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:26 UTC