On 2017/06/01 21:04, Daniel Kahn Gillmor wrote: > On Thu 2017-06-01 10:33:23 +0100, Andrew Gallagher wrote: >> When multiple A-usage (sub)keys are found on a user's key, all valid >> ones are by default emitted when exporting ssh public key blocks. It >> would be nice if there was some identifier (e.g. long ID) in the >> comments of these ssh pubkeys to identify which A key they correspond >> to - this would be helpful in situations where only some of the A >> privkeys are available (e.g. a smartcard). > > This sounds like a reasonable request, though i personally don't like > key IDs in general [0]. What would you think about the full fingerprint > of the subkey? is that too long? at least it would be unspoofable.
Sure, I'm happy with full fingerprints for robustness. It doesn't matter for my use case (discriminating between my own subkeys), but it might to others so let's do it right. An ssh pubkey is a human-hostile slab of base64 anyway, so I don't think a few extra characters is worth worrying about. > If we're going for something that can be spoofed/confused, what about > the date of the subkey or something else that's more human-readable? It currently puts a date in the comments but AFAICT it's the date that the export was performed, not the creation date of the source key material. Since the export is a reproducible process, the date it was performed is fairly meaningless. Maybe we should forget about emitting the export date and use the subkey creation date instead? A
signature.asc
Description: OpenPGP digital signature
