Hi!

Find my proposal for a V5 key and a new fingerprint scheme below and
also with a colored diff at

<https://gitlab.com/openpgp-wg/rfc4880bis/commit/ba4f884c6d5483071d6adbc1e43978b60980440a>

Note that the patch builds upon

commit e5a0caef2d5cc291118db58a477d3c034b0997cc
Author: Werner Koch <***@gnupg.org>
Date: Tue Mar 7 11:52:27 2017 +0100

Factor key algorithm specific parts out to a new section.

Aside from having the public and secret key parameters now close
together, this editorial change will make it easier to add new a new
key packet format and prepares for algorithms which can't be described
by a list of MPIs (which is actually already the case for ECC keys).


Comments?


Shalom-Salam,

Werner

=====
From ba4f884c6d5483071d6adbc1e43978b60980440a Mon Sep 17 00:00:00 2001
From: Werner Koch <***@gnupg.org>
Date: Tue, 7 Mar 2017 17:48:15 +0100
Subject: [PATCH] Specify a v5 key version and a new fingerprint scheme.

The v5 key version is introduced to
a) to trigger the use of the new fingerprint scheme,
b) to prepare for algorithms which need keys larger than 64k,
c) to ease parsing of unknown algorithms.

The fingerprint algorithm uses SHA-256 because
a) 32 octets are sufficient for a fingerprint
(#include "640k-ram-will-always-be-enough.joke"),
b) SHA-256 is well matured and widely available,
c) SHA-256 is faster than SHA-512 on embedded platforms,
d) implementations need to support SHA-256 anyway because it is
the commonly used hash algorithms for signatures.

Although the fingerprint is specified at full length it is truncated
to 25 octets for purposes of the OpenPGP spec. This is so that
signatures are not too much enlarged without a good reason.

A human readable representation of the fingerprint is not given
because that was never done in OpenPGP. Implementations may for
example use

1122334455 6677889900 aabbccddee ff00112233 4455667788
or
11223 34455 66778 89900 aabbc cddee ff001 12233 44556 67788

to show fingerprints.

The Key ID is still defined because the 64 bits do not pose a problem
when used to selecting the decryption key. The leftmost 64 bits of
the fingerprint are used (v4 uses the rightmost).

Aside from a few editorial changes the actual changes are:

* Revocation key and Issuer Fingerprint:

- For a V5 key the 25 leftmost octets are used.

* Public key packet:

- New four-octet count of the public key material.
This is to ease parsing.

* Secret key packet

- S2K Usage octet MUST NOT be 255.
That is V5 keys require the SHA-1 checksum but
we may want to drop this in favor of an AEAD mode.

- New one-octet count of the S2K parameters.
This is to ease parsing.

- New four-octet count of the secret key material.
This is to ease parsing.

* Key IDs and Fingerprint

- The V5 fingerprint uses SHA-256

- The magic header is changed from 0x99 + two-octets length header
to 0x9a = four-octet length header. The four-octet public key
material count is inserted.

* EC DH Algorithm

- For the 20 octets representing a recipient in the KDF parameters
the v5 fingerprint truncated to 20 octets is used.
---
middle.mkd | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 81 insertions(+), 17 deletions(-)

diff --git a/middle.mkd b/middle.mkd
index 462730b..1cd9f86 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -1279,8 +1279,11 @@ #### {5.2.3.14} Regular Expression

#### {5.2.3.15} Revocation Key

-(1 octet of class, 1 octet of public-key algorithm ID, 20 octets of
-fingerprint)
+(1 octet of class, 1 octet of public-key algorithm ID, 20 or 25 octets
+of fingerprint)
+
+V4 keys use the untruncated 20 octet fingerprint; V5 keys use the
+right truncated 25 octet fingerprint

Authorizes the specified key to issue revocation signatures for this
key. Class octet must have bit 0x80 set. If the bit 0x40 is set, then
@@ -1629,7 +1632,9 @@ #### Issuer Fingerprint
64 bits of the fingerprint.

Note that the length N of the fingerprint for a version 4 key is 20
-octets.
+octets. For a version 5 key N is 25 and the fingerprint is right
+truncated to 25 octets.
+

### {5.2.4} Computing Signatures

@@ -1888,6 +1893,27 @@ ### {5.5.2} Public-Key Packet Formats
* A series of values comprising the key material. This is
algorithm-specific and described in section XXXX.

+The version 5 format is similar to the version 4 format except for the
+addition of a count for the key material. This count helps parsing
+secret key packets (which are an extension of the public key packet
+format) in the case of an unknown algoritm. In addition, fingerprints
+of version 5 keys are calculated differently from version 4 keys, as
+described in the section "Enhanced Key Formats".
+
+A version 5 packet contains:
+
+ * A one-octet version number (5).
+
+ * A four-octet number denoting the time that the key was created.
+
+ * A one-octet number denoting the public-key algorithm of this
+ key.
+
+ * A four-octet scalar octet count for the following key material.
+
+ * A series of values comprising the key material. This is
+ algorithm-specific and described in section XXXX.
+

### {5.5.3} Secret-Key Packet Formats

@@ -1903,7 +1929,10 @@ ### {5.5.3} Secret-Key Packet Formats
indicates that the secret-key data is not encrypted. 255 or
254 indicates that a string-to-key specifier is being given.
Any other value is a symmetric-key encryption algorithm
- identifier.
+ identifier. A version 5 packet MUST NOT use the value 255.
+
+ * Only for a version 5 packet, a one-octet scalar octet count of the
+ next 3 optional fields.

* [Optional] If string-to-key usage octet was 255 or 254, a one-
octet symmetric encryption algorithm.
@@ -1916,6 +1945,9 @@ ### {5.5.3} Secret-Key Packet Formats
octet not zero), an Initial Vector (IV) of the same length as
the cipher's block size.

+ * Only for a version 5 packet, a four-octet scalar octet count for
+ the following key material.
+
* Plain or encrypted series of values comprising the secret key
material. This is algorithm-specific and described in section
XXXX.
@@ -1929,6 +1961,8 @@ ### {5.5.3} Secret-Key Packet Formats
(if string-to-key usage octet is not zero). Note that for all
other values, a two-octet checksum is required.

+Note that the version 5 packet format adds two count values
+to help parsing packets with unknown S2K or public key algorithms.

Secret MPI values can be encrypted using a passphrase. If a string-
to-key specifier is given, that describes the algorithm for converting
@@ -1948,8 +1982,8 @@ ### {5.5.3} Secret-Key Packet Formats
at the beginning of each new MPI value, so that the CFB block boundary
is aligned with the start of the MPI data.

-With V4 keys, a simpler method is used. All secret MPI values are
-encrypted in CFB mode, including the MPI bitcount prefix.
+With V4 and V5 keys, a simpler method is used. All secret MPI values
+are encrypted in CFB mode, including the MPI bitcount prefix.

The two-octet checksum that follows the algorithm-specific portion is
the algebraic sum, mod 65536, of the plaintext of all the algorithm-
@@ -3475,17 +3509,15 @@ ## {12.2} Key IDs and Fingerprints

a.1) 0x99 (1 octet)

- a.2) high-order length octet of (b)-(e) (1 octet)
-
- a.3) low-order length octet of (b)-(e) (1 octet)
+ a.2) two-octet scalar octet count of (b)-(e)

- b) version number = 4 (1 octet);
+ b) version number = 4 (1 octet);

- c) timestamp of key creation (4 octets);
+ c) timestamp of key creation (4 octets);

- d) algorithm (1 octet): 17 = DSA (example);
+ d) algorithm (1 octet): 17 = DSA (example);

- e) Algorithm-specific fields.
+ e) Algorithm-specific fields.

Algorithm-Specific Fields for DSA keys (example):

@@ -3497,18 +3529,49 @@ ## {12.2} Key IDs and Fingerprints

e.4) MPI of DSA public-key value y (= g\*\*x mod p where x is secret).

+A V5 fingerprint is the 256-bit SHA-256 hash of the octet 0x99, followed
+by the four-octet packet length, followed by the entire Public-Key
+packet starting with the version field. The Key ID is the high-order 64
+bits of the fingerprint. Here are the fields of the hash material,
+with the example of a DSA key:
+
+ a.1) 0x9A (1 octet)
+
+ a.2) four-octet scalar octet count of (b)-(f)
+
+ b) version number = 5 (1 octet);
+
+ c) timestamp of key creation (4 octets);
+
+ d) algorithm (1 octet): 17 = DSA (example);
+
+ e) four-octet scalar octet count for the following key material;
+
+ f) algorithm-specific fields.
+
+ Algorithm-Specific Fields for DSA keys (example):
+
+ f.1) MPI of DSA prime p;
+
+ f.2) MPI of DSA group order q (q is a prime divisor of p-1);
+
+ f.3) MPI of DSA group generator g;
+
+ f.4) MPI of DSA public-key value y (= g\*\*x mod p where x is secret).
+
Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much
smaller, but still non-zero, probability that two different keys have
the same fingerprint.

-Also note that if V3 and V4 format keys share the same RSA key
+Also note that if V3, V4, and V5 format keys share the same RSA key
material, they will have different Key IDs as well as different
fingerprints.

Finally, the Key ID and fingerprint of a subkey are calculated in the
-same way as for a primary key, including the 0x99 as the first octet
-(even though this is not a valid packet ID for a public subkey).
+same way as for a primary key, including the 0x99 (V3 and V4 key) or
+0x9A (V5 key) as the first octet (even though this is not a valid
+packet ID for a public subkey).

# Elliptic Curve Cryptography

@@ -3648,7 +3711,8 @@ ## EC DH Algorithm (ECDH)

- 20 octets representing a recipient encryption subkey or a master
key fingerprint, identifying the key material that is needed for
- the decryption.
+ the decryption. For version 5 keys the fingerprint is right
+ truncated to 20 octets.

The size of the KDF parameters sequence, defined above, is either 54
for the NIST curve P-256 or 51 for the curves P-384 and P-521.